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Symantec. 


The  company  that  pioneered  enterprise 
security  just  revolutionized  it. 
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Symantec  Integrated  Security 

Integrated 

Gateway  Security 

Integrated 

Client  Security 

Intrusion  Detection 

Intrusion  Detection 

Firewall/VPN 

P*  Firewall 

Content  Filtering 

Virus  Protection 

Virus  Protection 

Management 

Management 

Introducing  the  secure  enterprise.  Before  the  Internet,  before 
laptops,  before  e-anything,  Symantec ™  was  protecting  companies 
from  virus  attacks  and  malicious  code.  But  today's  world  is  radically 

different.  Threats  have 
become  more  complex, 
dangerous  and  costly; 
and  security  that 
was  once  considered 
adequate  is  now  rightly 
seen  as  incomplete 
and  vulnerable.  Now 
a  revolutionary  solution  has  arrived.  Symantec  Integrated  Security 
is  comprehensive  security  that  protects  your  entire  enterprise. 
Every  element  is  designed  to  work  together  as  a  seamless  and 
unified  system.  The  result  is  more  efficient  management,  quicker 
response  to  new  threats  and,  ultimately,  better  protection  for  your 
whole  company — from  your  gateway  with  Symantec “  Gateway 
Security ;  to  your  clients  with  Symantec M  Client  Security.  It’s  a  new 
way  to  understand  and  create  the  truly  secure  enterprise.  Join  the 
revolution.  Visit  http://ses.symantec.com/USB000A8VDl  or  call 
800-/45-6054  for  our  free  White  Paper,  “Integrated  Security: 
Creating  the  Secure  Enterprise 
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-DENNIS  TREECE, 
MASSPORT  DIRECTOR  OF 
CORPORATE  SECURITY 
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port  to  the  city’s  waterfront  shipping  facilities,  CSO  Dennis 
Treece  patrols  an  anxious  perimeter.  By  Lew  McCreary 
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INTELLECTUAL  PROPERTY  Intellectual  property  isn’t  always 
easy  to  identify.  It’s  even  harder  to  protect.  Here’s  how 
CSOs  can  work  with  others  to  protect  their  companies’ 
future.  By  Simone  Kaplan 

42  The  FUD  Factor 

MANAGING  UP  Fear,  uncertainty  and  doubt  may  help  scare 
your  company  into  short-term  compliance,  but  CSOs  say 
that’s  a  shortsighted  strategy.  By  Daintry  Duffy 
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everyone,  everywhere,  but  who’s  to  say  they’ll  get  it 
right?  By  Julie  Hanson 
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50  Security  Immaturity 

INFOSECURITY  SURVEY  A  survey  of  the  state  of  information 
security,  as  measured  against  ISO  guidelines,  shows  plenty 
of  room  for  improvement.  Is  the  problem  a  lack  of  overarch¬ 
ing  vision,  a  dearth  of  adequate  resources  or  a  little  of  both? 
By  Derek  Slater 
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Zero  to  Provisioning  in  3.2  weeks! 

In  as  little  as  3.2  weeks  (yes,  23  days  from  now)  the  industry’s  leading  provisioning 
solution  can  be  implemented  across  your  IT  systems.  That  means  no  more  provisioning 
delays,  no  more  ghost  accounts,  and  an  increased  level  of  enterprise  security  and 
efficiency  —  in  record  time! 

CONTROL- SA/QuickStart’s  high-speed  implementation  translates  into 
high-speed  provisioning  performance.  Access  rights  are  granted  in  minutes. 

Not  days.  Not  weeks.  Minutes!  And  revoked  just  as  fast.  The  severe  threat  of 
lingering  ghost  accounts  is  instantly  wiped  away.  And  with  central  identity 
management  and  audit  capabilities,  your  organization  is  one  step  closer  to 
full  regulatory  compliance. 

Start  reaping  the  fruits  of  CONTROL-SA-driven  provisioning  within  weeks. 

Call  800-865-4262  or  visit  www.bmc.com/security/quickstart. 

CONTROL- SA  -  the  foundation  for  secure  identity  management. 


HIGH-SPEED  IMPLEMENTATION 
WITH  CO NTRO L-SA®/ Qu  i ckStart 


BMC  Software,  the  BMC  Software  logos  and  all  other  BMC  Software  product  or  service  names  are  registered  trademarks  or  trademarks  of  BMC  Software,  Inc. 
All  other  trademarks  or  registered  trademarks  belong  to  their  respective  companies.  ©2003  BMC  Software,  Inc.  All  rights  reserved. 
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Security 
Counsel 

This  month,  Robert 
Bosco,  vice  presi¬ 
dent  of  security 
operations  for  HDR 
One,  which  pro¬ 
vides  security  con¬ 
sulting,  is  available  online  to  answer  your 
questions  about  how  to  ensure  the  physical 
security  of  your  company’s  office.  Visit 
SECURITY  COUNSEL  to  post  a  question  or 
to  read  past  expert  advice  columns. 
www.csoonline.com/counsel 


Free  Newsletters 

CSO  newsletters  delivered  right  to  your 
inbox  every  month— for  free.  CSO  UPDATE 
highlights  the  most  recent  content  posted 


e.com 


Only  Online 

Check  out  the  fresh  content  on 
CSOonline.com  each  weekday.  Here’s  a 
rundown  of  what  you’ll  find: 

MONDAY 

TALK  BACK  Did  the  national  strategy  to 
secure  cyberspace  wimp  out?  Visit  each 
week  to  share  your  opinions  on  that  and 
other  controversial  security  topics. 

www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Take 
our  weekly  poll.  You  can  also  check  the 
results  of  previous  polls  such  as  “Are  senior 
executives  working  with  you  to  protect  your 
company’s  intellectual  property?”  Most 
respondents  (63  percent)  answered  no. 
www.csoonline.com/poll 


on  CSOonline.  CSO  WANTED  UPDATE 


WEDNESDAY 


alerts  you  to  the  latest  security- related  job 
openings  in  our  database.  It  takes  only  a 
few  seconds  to  subscribe. 

www.csoonline.com/newsletters 

CSO  Research  Centers 

Visit  CSOonline’s  research  centers  to  find 
archived  articles  from  CSO,  webcasts,  inter¬ 
views  and  links  to  relevant  sources.  Our 
editors  update  the  content  in  the  research 
centers  frequently,  so  be  sure  to  visit  them 
often  to  keep  up-to-date. 

SECURITY  EXECUTIVE  Basics,  profiles 
and  member  organizations. 
www.csoonline.com/executive 
LEGISLATION  &  POLICY  Laws  and  lia¬ 


ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  all  of  it  into  one  conven¬ 
ient  package.  In  a  recent  report,  the  Robert 
Frances  Group  examines  the  role  of  the 
CSO  and  why  companies  should  create 
the  position  if  they  don’t  already  have  it. 
www.csoonline.com/analyst 

THURSDAY 

METRICS  Did  you  know  that  the  United 
States  was  the  number-one  target  of  hack¬ 
ers  in  2002?  Visit  each  week  for  the  sur¬ 
veys  and  statistics  that  matter  for  security 
professionals. 

www.csoonline.com/metrics 


bility,  national  security  agencies  and  organi¬ 
zations.  www.csoonline.com/legislation 
THREATS  &  RECOVERY  Issues  affecting 
corporate  IT,  privacy  and  physical  security. 

www.csoonline.com/threats 

STRATEGY  &  MANAGEMENT  Risk 


FRIDAY 

POLITICS  &  POLICY  Read  the  full  text  of 
bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  and  political 
activity— inside  the  Beltway  and  out. 

www.csoonline.com/politics 


analysis,  budgeting  and  policies. 

www.csoonline.corn/strategy 
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In  a  world  where  there’s  a  different  kind  of  threat  every  day,  you  need  a  different  kind  of  security. 

New  threats  can  blow  right  through  any  firewall  or  anti-virus  software.  That's  where  we  come  in.  Our  dynamic  protection 
helps  you  conduct  business  safely  in  the  face  of  ever-changing  threats  and  increased  risk.  From  proactive  research  and 
award-winning  software  to  24/7  protection  and  response  services,  our  solutions  detect,  prevent  and  respond  to  online 
attacks  and  misuse.  No  matter  who  you're  up  against.  To  learn  more,  call  800-776-2362.  Or  visit  www.iss.net/ad/cso. 
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Imagining  Godzilla 


We  (in  this  usage,  the  planetary  we)  are  now  beset  with 
various  richly  controversial  examples  of  risk.  They  range 
from  the  merely  large  to  the  truly  gargantuan:  from  the 


ongoing  dissection  of  the  space  shuttle  Columbia  disaster  and  the  Rhode  Island 
nightclub  fire  (both  of  which  may,  in  varying  degrees,  come  down  to  a  matter 
of  risk  assessment  gone  wrong)  to  the  colossal  geopolitical  menaces  that  now 
hunker  in  the  daily  consciousness  like  a  tribe  of  pre-rampage  Godzillas.  Since 
this  magazine’s  topic,  writ  large,  is  risk,  it  seems  fitting  to  consider  a  sometimes 
unacknowledged  reality:  Godzilla-class  risks  resist  easy  assessment. 

Reasonable  people  around  the  globe  can  be  heard  today  disagreeing  wildly 
about  which  constitutes  the  greatest  risk:  attacking  Iraq  or  not  attacking  Iraq. 
As  it  happens,  the  debate  may  turn  out  to  have  little  bearing  on  what  actually 
happens.  But  on  both  sides  are  marshaled  compelling  arguments  about  the 
causal  chains  of  disastrous  or  beneficial  outcomes  likely  to  ensue  in  each 
instance.  On  the  one  hand,  aggressive  unilateralist  American  intervention  may 
trigger  waves  of  terrorism  that  menace  domestic  security  for  years  to  come.  On 
the  other  hand,  equivocation,  inaction  and  appeasement  may  allow  tyranny  to 
grow  unchecked,  sowing  the  seeds  of  escalating  evil  down  the  road.  The  situa¬ 
tion  of  growing  tensions  with  North  Korea  presents  the  same  sort  of  brew  of 
perplexing  variables,  all  swirling  around  the  choice  between  “rewarding  bad 
behavior”  and  “failing  to  engage  in  a  constructive  dialogue.” 

Risk  assessment  is  in  part  an  outgrowth  of  policy.  If  your  policy  is  that  you 
never  reward  bad  behavior,  then  failing  to  engage  in  constructive  dialogue  will 
fall  to  a  lower  rung  on  the  risk  ladder.  But,  as  I  wrote  in  an  earlier  column,  good 
risk  assessment  requires,  in  addition  to  policy  and  data,  an  active  imagination. 
You  have  to  be  able  to  walk  down  the  if-then  path  with  open  eyes  and  an  open 
mind.  If  policy  or  other  considerations  cause  eyes  and  minds  to  close,  decision 
making  is  impaired.  Consider  the  e-mail  threads  made  public  in  the  shuttle  dis¬ 
aster  investigation.  A  team  of  engineers  was  able  to  game  out  scenarios  that 
appear  to  have  been  eerily  prescient  in  describing  the  shuttle’s  breakup  before  it 
happened.  But  did  a  rigid  belief  in  only  the  most  optimistic  cooling-tile  damage 
assessments  preclude  those  scenarios  getting  their  due? 

An  article  in  the  April  Atlantic  Monthly  explores  President  Bush’s  decision¬ 


making  process  and  finds  it  to  be  lamentably  low  on 
imagination.  If  imagination  is  the  row  of  open  windows 
interposed  between  a  complex  decision  and  its  possible 
outcomes,  no  decision  should  ever  be  made  without 
taking  a  look  out  each  of  those  windows.  As  you  will 
read  in  our  own  cover  story  profiling  Dennis  Treece, 
the  director  of  corporate  security  for  the  Massachusetts 
Port  Authority,  one  of  his  quests  is  to  find  ways  of 
bringing  more  and  better  data  to  bear  on  evaluations  of 
risk  (see  “Safe  Harbor,”  Page  28).  But  Treece  relies  on 
more  than  data.  He  also  turns  his  vivid  imagination  on 
every  source  of  potential  vulnerability  that  falls  within 
his  domain  (Logan  Airport’s  unprotected  beach  espe¬ 
cially  irks  him).  Only  by  imagining  the  worst  that  could 
happen  can  Treece  comfortably  hope  for  the  best. 

At  this  moment  of  elevated  global  risk,  we  hope  that 
Mr.  Bush  has  likewise  exercised  his  imagination,  pic¬ 
turing  a  world  pitched  headlong  into  concatenating, 
uncontrollable  catastrophes. 

-Lew  McCreary 
mccreary@cxo.com 


PS:  The  medallion  on  our  cover  represents  bragging 
rights  conferred  on  CSO  by  American  Business  Media, 
which  honored  us  with  the  2003  Jesse  H.  Neal  Award  as 
“Best  Start-Up  Publication.”  We  are  pleased  to  have  the 
validation  of  our  peers  in  the  business  press,  who  recog¬ 
nized  the  importance  of  our  mission  and  our  audience. 


6  www.csoonline.com  April  2003 


PHOTO  BY  WEBB  CHAPPELL 


■\  n 


•  .  •  ,  •  :/•  ..V  v-  T.-'v  .  *V*’3»v" 

He  just  found  out  he’s  responsible  for  the  video  surveillance  network 


CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


How  to  Reach  Us 


Risk  Management  vs.  Due  Diligence 

Our  December  issue  focused  on  risk:  how  to 
calculate  it,  prepare  for  it  and  expose  it.  Some 
of  you  lauded  the  issue,  and  some  of  you 
were  more  skeptical.  If  you  want  to  weigh  in, 
you  can  find  the  issue  at  www.csoonline.com. 
Here’s  a  view  from  both  sides  of  the  debate. 

THE  PROCESS  THAT  WRITER  SCOTT 

Berinato  sketches  out  really  works  [“Calcu¬ 
lated  Risk”].  When  you  complete  a  com¬ 
prehensive  risk  analysis  to  identify  material 
risks  and  evaluate  the  ROI  of  potential 
security  measures,  the  optimum  security 
strategy  becomes  clear.  CFOs  also  begin  to 
feel  comfortable  about  making  resources 
available.  Note  that  this  kind  of  analysis 
will  also  identify  the  security  measures  that 
are  not  economically  sound.  CFOs  love  to 
hear  the  CSO  say  where  not  to  spend 
money. 

BOB  JACOBSON 

President 

International  Security  Technology 

YOUR  SPECIAL  REPORT,  “HOW  TO  WIN 

at  Risk,”  gives  many  false  impressions  and 
unworkable  and  impractical  guidance  to 
your  readers.  It  amazes  me  that  so  much  is 
written  and  recommended  about  using  risk 


reduction  assessments  when,  to  my  knowl¬ 
edge,  nobody  has  ever  proven  their  effec¬ 
tiveness  or  shown  that  the  security  risks 
estimated  in  specific  assessments  have 
been  correct.  Risk  reduction,  risk  assess¬ 
ment  and  risk  management  are  the 
emperor’s  new  clothes.  Meeting  stan¬ 
dards  of  measurable  due  diligence  is 
a  far  better  objective. 

Security  risk  is  misunderstood 
by  many  practitioners  in  the 
information  security  field.  Secu¬ 
rity  risk  is  not  under  our  con¬ 
trol.  It  is  under  the  control  of  our  many 
unknown  and  known,  and  rational  and 
irrational  enemies.  The  defenders  cannot 
manage  risk  in  the  present  imperfect  secu¬ 
rity  state  of  our  information,  let  alone 
measure  and  control  it. 

Many  people  in  information  security 
lose  sight  of  the  fact  that  we  are  defending 
our  information  not  only  from  attacks  such 
as  denial  of  service,  Trojan  horse  or  false 
data  entry,  but  more  basically  from  the 
smart  enemies  that  engage  in  the  attacks. 
These  enemies  have  objectives  of  making 
gains  and  causing  us  losses,  and  if  one  of 
their  methods  is  thwarted  by  our  safe¬ 
guards,  then  they  will  find  another 
unprotected  known  vulnerability  or  one 
unknown  to  us  to  accomplish  their  nefari¬ 
ous  objectives.  Therefore,  if  we  enhance  a 
safeguard  or  install  a  new  one,  it  is  not  pos¬ 
sible  to  know  whether  that  action  has 
increased,  decreased  or  not  changed  our 
overall  risk.  All  we  can  know  is  whether  we 
have  increased  our  due  diligence  based  on 
whether  the  safeguard  is  a  generally 
accepted  one  that  fits  a  need. 

I  have  easily  obtained  management  sup¬ 
port  for  my  security  recommendations 
based  on  due  diligence  in  more  than  250 
security  reviews  during  my  35  years  as  a 
consultant.  Due  diligence  may  be  achieved 
using  threat  and  vulnerability  analysis, 
threat  scenarios,  benchmarking  relative  to 
organizations  under  similar  circum- 
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senting  95  percent  of  worldwide  IT  spending.  IDG  pub¬ 
lishes  more  than  300  newspapers  and  magazines  in  85 
countries,  led  by  the  Computerworld,  Infowortd,  Mac¬ 
world,  Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  network  of 
technology-specific  sites  around  the  world  through 
IDG.net  ( www.idg.net ),  a  gateway  to  IDG's  330  websites 
powered  by  more  than  2,000  journalists  reporting  from 
every  continent  in  the  world.  IDG  also  produces  168 
technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries. 


stances,  and  use  of  the  many  generally 
accepted  sources  of  our  common  body  of 
knowledge  of  known  safeguards  and  secu¬ 
rity  products.  I  find  that  it  is  not  necessary 
to  present  management  with  dubious 
guesstimates  of  intangible,  unmeasurable 
security  risks  that  do  not  necessarily  prove 
the  need  for  specific  safeguards  to  gain 
their  support.  Our  objective  of  risk  reduc¬ 
tion  is  the  wrong  basis  for  information 
security.  It  should  be  due  diligence. 

DONN  B.  PARKER 

We  want  to  hear  from  you 

To  respond  to  articles  you’ve  read  in  CSO,  write 
to  us  at  csoletters@cxo.com.  We  welcome  your 
criticism,  thoughts  and  suggestions. 
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Can  your  network  pass  the 
SANS/FBI  security  test? 


The  Federal  Bureau  of  Investigation  and  the  SANS 
Institute,  an  independent  association  of  more  than 
156,000  information  security  professionals  in 
October  2002  published  a  roster  of  the  Top  20 
Internet  security  vulnerabilities.  Successful  intrusions 
of  Internet  connected  systems  usually  exploit  one  or 
more  of  these  flaws.  You  need  to  know  which  ones 
you’ve  got  to  ensure  your  network  is  secure. 


Qualys  makes  that  easy  -  and  free. 

Find  out  now  at  http://sans20.qualys.com 


Qualys  provides  a  comprehensive,  ON-DEMAND 
security  audit  service  for  the  enterprise.  With  Qualys, 
organizations  can  effectively  manage  their  vulnerabilities 
and  have  control  over  their  network  security  with 
centralized  reports  and  one-click  links  to  verified 
remedies.  And  because  the  service  is  delivered  over  the 
web,  enterprises  can  run  network  security  audits 
anytime,  and  get  the  results  delivered  in  minutes 
without  the  extra  cost  of  deployment  and  maintenance. 


Find  out  in  minutes  at 
http://sans20.qualys.com 


For  product  information,  call  toll-free  1-800-745-4355  or  visit  www.qualys.com. 

©  2003  Qualys  Corporation,  all  rights  reserved 
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SUNDAY,  APRIL  27 

8:00  am-l:30  pm 

Golf  Tournament 

3:00  pm-5:00  pm 

Registration 

6:00  pm-8:00  pm 

Registration,  Welcome 
Reception  &  Golf  Awards 


MONDAY,  APRIL  28 

7:00  am-8:00  am 

Networking  Breakfast 


8:00  am-8:15  am 
Welcome 
ABBIE 
LUNDBERG, 

Editor  in  Chief, 

CIO  Magazine 
JONATHAN 
ZITTRAIN,  Con¬ 
ference  Moderator 
and  Cofounder, 

The  Berkman 
Center  for  Internet 
&  Society,  Harvard 
Law  School 


8:15  am-9:15  am 
The  Complete  CIO 

CHARLIE  FELD, 

Founder,  The  Feld 
Group  &  Former 
CIO  of  First  Data 
Resources,  Delta 
Air  Lines,  Burling¬ 
ton  Northern  and  Frito-Lay 

CIOs  increasingly  have  more  of  a 
hand  in  defining  and  driving 
corporate  business  strategy.  And 
everyone— business  line  man¬ 
agers,  the  executive  management 
team,  the  CEO,  the  board  of 
directors— has  greater  expecta¬ 
tions  of  their  CIO.  What  are  the 
essential  skills  and  attributes 
needed  to  thrive  in  the  CIO  role 
today?  Charlie  Feld  talks  about  his 
own  experiences  over  time  as 
CIO  of  very  diverse  businesses, 
arid  what  his  client  companies 
uornand  today. 


9:15  am-9:40  am 

2nd  Annual  State  of  the  CIO 
Survey  Results 
Highlights 

LORRAINE 
COSGROVE, 

Research  Editor, 

CIO  Magazine 

This  year's  exclusive  survey  of  over 
500  IT  chiefs  reveals  a  very  differ¬ 
ent  set  of  challenges  and  a  new  set 
of  priorities  from  a  year  ago.  We 
share  some  of  the  highlights. 

9:40  am-10:30  am 

View  from  the 
Top:  Creating 
Value  Through  IT 

NIGEL  MORRIS, 

Cofounder,  Presi¬ 
dent  &  COO, 

Capital  One  Corp. 

Morris  shares  his  viewpoint  on  the 
role  of  IT,  and  the  criteria  for 
measuring  a  CIO’s  ability  to 
articulate  and  deliver  true  IT  value 
to  the  enterprise. 

10:30  am-ll:00  am 

Coffee  Break  and  Sponsor 
Exhibits 

11:00  am-12:40  pm 

Sponsor  Briefings 

12:45  pm-2:15  pm 

Networking  Lunch 

2:30  pm-3:30  pm 

The  CIO  Interview 

MONTE  FORD 

Senior  Vice  Presi¬ 
dent  &  CIO,  Amer¬ 
ican  Airlines 

Ford  took  on  the  top  IT  spot  at  the 
world’s  biggest  airline  at  the  end  of 
2000,  then  had  to  deal  with  the 
acquisition  and  merger  of  TWA,  the 
economic  recession,  Sabre  selling 
its  outsourcing  business  to  EDS— 
and  the  events  of  9/11.  CIO  maga¬ 
zine  Editor  in  Chief  Abbie  Lund- 
berg  talks  with  Ford  about  his 


pivotal  role  in  the  organization  and 
his  plans  for  the  future  of  IT. 

2:30  pm-3:30  pm 

Delivering  Value:  How  to 
Manage  Your  IT  Portfolio  and 
Make  a  Strong  Business  Case 

Moderator: 

ABBIE 
LUNDBERG, 

Editor  in  Chief, 

CIO  Magazine 
Participants: 

TIMOTHY  M. 

FERRARELL,  Senior 
Vice  President, 

Enterprise  Systems, 

W.W.  Grainger,  Inc. 

JACK  KEEN,  Coau¬ 
thor,  Making  Tech¬ 
nology  Investments 
Profitable 
DR.  HOWARD 
RUBIN, 

Vice  President, 

META  Group,  Inc. 

In  today's  business  environment, 
it's  all  about  value.  And  it's  up  to 
the  CIO  to  make  sure  that  every  IT 
investment  delivers  maximum 
returns.  In  this  session,  we'll 
explore  how  to  build  the  portfolio 
that's  right  for  your  organization, 
how  to  manage  it  for  greatest 
business  benefit,  and  how  to  use  it 
as  an  effective  communications 
tool  with  your  business  partners. 
We’ll  also  discuss  how  to  make  a 
compelling  business  case  for  new 
IT  initiatives— even  if  your  com¬ 
pany  is  in  cost-cutting  mode. 

5:00  pm-6:30  pm 

CIO  Peer-to-Peer 
Networking  &  Reception 

TUESDAY,  APRIL  29 

7:00  am-8:00  am 

Breakfast  &  Informal 
Discussion  Roundtables 


8:00  am-8:45  am 

What  Every  CIO  Should 
Know  About  Digital  Rights 
Management 
JONATHAN  ZITTRAIN 


Entertainment  companies  aren’t 
the  only  ones  with  digital  content 
worth  safekeeping.  More  compa¬ 
nies  now  are  realizing  the  potential 
threats  and  are  seriously  weighing 
the  risks  of  not  implementing 
digital  rights  management  (DRM) 
technologies.  Zittrain  explores 
recent  trends  in  DRM  deployment 
and  discusses  the  impact  on 
businesses  of  all  types. 


8:45  am-9:45  am 

Best  Practices  for 
Getting  Outsourc¬ 
ing  Right 

Moderator: 

MARTHA  HELLER, 

Director,  CIO  Best 
Practice  Exchange 
&  CIO  Select 
Panelists:  LARRY 
FRAZIER, 

CIO,  Chevron 
Phillips  Chemical 
Company  LP 
DANIEL  L. 

ROBERTS,  Execu¬ 
tive  Vice  President  & 

CIO,  PMI  Group,  Inc. 

HANK  ZUPNICK, 

Senior  Vice  Presi-  f  ^*3 1L 
dent  &  CIO,  GE  Real  Estate 

Any  CFO  will  tell  you  that  the  more 
you  outsource  the  more  you  save. 
But  as  CIO,  you  know  the  pitfalls: 
lowered  productivity,  cultural 
conflicts,  service  level  problems,  to 
name  only  a 

few.  This  panel  of  CIOs,  drawn 
from  the  CIO  Best  Practice 
Exchange,  our  online  network  of 
CIOs,  will  provide  best  practices 
for  determining  what  to  outsource 
when,  and  how  to  sell  the  strategy 
to  the  board. 


9:45  am-10:30  am 
Becoming  a  Trusted 
Business  Partner 
JERI  DUNN, 

Senior  Vice 
President  &  CIO, 

Tyson  Foods,  Inc. 

The  CIO’s  sphere  of 
influence  has  never  been  larger. 
You  must  work  with  executive 
management  and  peers,  internal 
and  external  customers,  line  of 
business  directors,  staff  and 
vendors.  You  must  set  and  achieve 
both  strategic  and  tactical  goals, 
articulate  and  demonstrate  ROI, 
communicate  and  manage  expec¬ 
tations.  Dunn  shares  the  benefit  of 
her  experience. 


10:30  am  —11:00  am 

Coffee  Break  & 

Sponsor  Exhibits 

11:00  am-12:40  pm 

Sponsor  Briefings 

12:45  pm-2:00  pm 

Networking  Lunch 

2:15  pm-3:30  pm 

InFocus  Workshop  #1 
Building  the  Right  Team:  Your 
Success  Depends  On  It 
JUDY  B.  HOMER, 

President,  JB 
Homer  Assoc. 

Building  the  right  IT 
team  may  not  be  an 
easy  task— but  as  a 
CIO  your  success  depends  on  it.  In 
today's  highly  competitive  technol¬ 
ogy  talent  market,  what  factors  do 
you  look  for  when  you  recruit  and 
build  yourteam  that  will  contribute 
to  realizing  your  goals?  How  can 
you  become  a  more  effective 
leader  of  your  team?  Executive 
recruiter  Judy  Homer  provides  you 
with  tools  to  identify  and  overcome 
the  obstacles  in  your  path,  and  set 
the  milestones  for  measuring  your 
success.  Workshop  participants 
develop  strategies  and  create  a 
checklist  for  visualizing  your  goals 
and  for  building  the  team  needed 
to  support  you  in  making  them  a 
reality. 


InFocus  Workshop  #2 
Meeting  Your  Goals:  Where 
Executive  Coaching  Can  Help 
MICHAEL 
BRENNER,  Chief 
Resource,  Brenner 
Executive 
Resources,  Inc. 

The  biggest  prob¬ 
lems  many  CIOs  face  are  with 
people,  not  with  technology.  The 


CIO  needs  to  adapt  to  greatly 
different  human  interactions  to 
handle  the  360  degrees  of  interac¬ 
tion.  You  can't  always  be  your  own 
mentor.  Executive  coach  Michael 
Brenner  discusses  the  special 
challenges  CIOs  face  and  how  to 
use  executive  coaching  as  a  tool. 
The  benefits  can  include  having  an 
objective  sounding  board,  deter¬ 
mining  accountability,  resolving 
conflict  and  maintaining  work/life 
balance.  He  provides  sources  of 
executive  coaches,  tips  on  how  to 
pick  and  work  with  one,  and 
explores  specific  situations 
suggested  by  attendees. 

InFocus  Workshop  #3 
Plugging  Business  Case 
Leaks  in  the  IT  Value  Pipe 

JACK  KEEN, 

Coauthor,  Making 
Technology 
Investments 
Profitable 

A  dependable 
business  case  is  a  vital  manage¬ 
ment  tool,  not  just  to  "get  the 
money,"  but  throughout 
the  entire  life  cycle  of  a  project, 
from  the  moment  it  is  conceived, 
through  proposing,  selection, 
implementation  and  systems 
operations.  Like  many  things  in 
life,  however,  business  case 
appearances  can  be  deceiving— 
the  majority  are  unintentionally 
inaccurate  and  incomplete,  thus 
dangerously  misleading  in  their 
recommendations  to  manage¬ 
ment.  Keen  shows  us  how  to 
identify  the  likeliest  weak  links  and 
fix  them.  He  shares  how  to  avoid 
missing  benefits,  missing  intangi¬ 
bles  and  poorly  supported  calcula¬ 
tions  and  reasoning. 

InFocus  Workshop  #4 
Effectively  Marketing  IT 
Internally 

PATTY  JARAMILLO,  Founder, 
Creative  IT  Marketing 

A  common  CIO  lament  is  that  the 
business  and  financial  sides  of  the 
house  don't  understand  IT— but 
Jaramillo’s  recent  study  shows 
that  most  CIOs  do  not  have  a  plan 
in  place  for  internal  marketing 
communications  for  IT.  To  be 
successful,  you  need  to  continually 
educate  the  business  side  to  IT 
value,  and  you  need  to  do  it  in 
terms  they  understand.  Jaramillo 
talks  about  the  importance  of 
being  an  active  communicator,  and 
shares  techniques  and  tools  that 


have  worked  for  a  number  of 
organizations. 

InFocus  Workshop  #5 
Sarbanes-Oxley:  Section  404 
Compliance  Starts  With  The 
CIO,  No  Question  About  It. 

Are  You  Ready? 

NEIL  B.  JACKSON,  CISA 
Business  Manager,  Global  Infor¬ 
mation  Technology 
E*TRADE  Group,  Inc. 

Learn  how  certifications  by  your 
CEO  and  CFO  are  dependent  on 
your  assessment  of  your  internal 
controls  within  technology.  Under¬ 
stand  the  COSO  framework  of 
defining  internal  control  and  how 
you  assess  their  legal  effectiveness. 
Understand  your  legal  responsibili¬ 
ties  to  disclose  deficiencies  and 
how  a  GAP  analysis  will  help. 
Understand  how  your  internal  and 
external  audit  function  can  help  you 
achieve  your  new  responsibilities. 
Take  back  solutions  and  important 
advice  from  your  new  and  trustwor¬ 
thy  friend,  Internal  and  External 
Audit. 

3:45  pm-4:45  pm 

Developing  the  Next  Genera¬ 
tion  of  IT 
Leaders 

Moderator:  RICK 
SWANBORG, 

President,  1C  EX 
Panelists:  DAVID 
GUZMAN, 

Senior  Vice  Presi¬ 
dent  &  CIO,  Owens 
&  Minor 
EDWARD  L. 

GLOTZBACH, 

Executive  Vice 
President  &  CIO, 

SBC 

MICHAEL  HARTE, 

Executive  Vice 
President  &  CIO, 

PFPC 

MAMIE  MILLARD, 

Senior  Vice  Presi¬ 
dent,  Technology, 
Travelocity.com 

In  addition  to  honing  their  own 
leadership  abilities,  CIOs  are 
concerned  with  identifying  and 
developing  effective  leaders  in 
their  organizations.  Swanborg  and 
a  panel  of  CIOs  discuss  the  chal¬ 
lenges  involved,  and  share  the 
techniques  they've  used  to  mold 
the  next  generation  of  IT  leaders. 


4:45  pm-5:30  pm 

How  to  Get  a  Life 
DR.  RICK 
BRINKMAN, 

Author  of  Life  By 
Design:  Making 
Wise  Choices  in  a  Mixed-Up 
World 

With  the  Internet,  cell  phones, 
laptops,  wireless  and  loads  of 
other  nifty  gadgets,  we  can  now 
work  anytime,  from  anywhere  in 
today’s  24/7  global  business 
environment.  Dr.  Rick  looks  at  why 
it’s  increasingly  important  to 
maintain  a  healthy  balance 
between  Life  and  Work. 

5:30  pm-5:45  pm 

Closing  Summary 
JONATHAN  ZITTRA1N 

5:45  pm-6:45  pm 

Networking  Reception 

7:30  pm-9:30  pm 

CIO  Dinner  Party 

This  CIO  Perspectives 
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The  world  has  changed.  As  security  professionals,  we  now  have  to  be  prepared  for  anything,  including  the  unspecified  and  the 

'■  . 

unthinkable.  It’s  an  enormous  responsibility,  but  one  that  doesn’t  have  to  be  yours  alone.  We  understand  how  your  job  is  more 
important  now  than  ever  before,, and  we  want  to  help.  Let  us  get  to  know  your  business  and  your  concerns.  Then  we’ll  draw  from 
the  broadest  range  of  products  and  experience  available,  including  the  latest  in  digital  video  and  access  control.  All  to  create  a  solution 
that  meets  the  unique  security  needs  of  your  company.  Getting  in  touch  is  easy.  Just  call  us  at  1-  877-258-6424  or  visit  adt.com. 
•  f-  And  when  everybody  looks  to  you  for  peace  of  mind,  look  to  us.  ADT.  Always  there. 
iwm.  * 


CSO  SECURITY  CHECK 


Are  senior  executives 
working  with  you  to 
protect  your  company’s 
intellectual  property? 


LEGAL  MATTERS  Getting  caught  crying  wolf  on  issues  of  national  security  could  have 
serious  ramifications,  says  Jim  Albertine,  president  of  the  American  League  of  Lobbyists. 

Albertine  is  referring  to  a  case  in  October  2002  in  which  VeriSign  coerced  the  Commerce 
Department  into  making  a  quick  decision.  VeriSign  feared  the  two  DNS  root  servers  it  main¬ 
tains  might  come  under  attack  by  hackers.  The  company  claimed  that  leaving  the  root  server  at 

its  current  location  could  compromise  national  security. 

The  result:  VeriSign’s  request  was  moved  along  and 
approved  two  days  later  by  the  Internet  Corporation  for 
Assigned  Names  and  Numbers. 

The  company’s  actions  highlight  a  growing  tendency 
among  organizations  seeking  funding  or  regulatory  approval: 
Businesses  are  using  current  security  hype  to  speed  up  slow 
government  approval  processes.  It’s  a  trend  that  has  govern¬ 
ment  watchdog  groups  on  alert. 

“It  takes  time  to  weigh  the  merits  of  a  company’s  case,” 
says  Celia  Wexler,  senior  policy  analyst  for  Common  Cause,  a 
lobbying  organization  in  Washington,  D.C.  “We  don’t  want 
an  agency  rubber-stamping  what  a  company  wants  to  do 
unless  it  meets  with  the  public’s  interest.” 

“In  terms  of  internal  security,  there’s  new  thinking  since 
9/11,”  says  Albertine.  He  points  to  executive  orders  that  have 
expedited  procurement  processes  at  the  departments  of 
Energy,  Transportation  and  Defense  as  examples  of  the  new 
attitude  in  Washington. 

“We’re  not  talking  about  leap-frogging  the  process;  we’re 
talking  about  expediting  it,”  says  Albertine. 

Companies  and  their  lobbyists  must  be  truthful  about 
their  intentions  when  approaching  the  government.  Either 
there’s  a  wolf  or  there  isn’t.  -Paul  Roberts 


You  reported  that  you're  not 
getting  the  support  you  need 
to  protect  your  business’s 
intellectual  property. 


For  advice,  see  Staff  Writer  Simone 
Kaplan’s  story  “Don't  Lose  Your 
Head”  on  Page  36.  To  participate  in 
monthly  CSO  Security  Check  polls, 
visit  www.csoonline.com. 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


Dear  Friend... 


SPAM  First  off,  that  is  not  the 
personal  assistant  to  the  former  king 
of  Rwanda  e-mailing  you. 

It's  spam,  of  course,  but  fraudulent 
spam.  What  can  you  do  about  it?  So  far, 
just  watch  it  grow  out  of  control.  The 
Federal  Trade  Commission  reports  that 
e-mail  and  the  Internet  have  quickly 
become  the  media  of  choice  for  scam 
artists. 

The  FTC  researched  380,000 
logged  complaints  from  2002  and 
found  a  startling  47  percent  were 
Internet  related,  up  from  31  percent  the 
year  before.  Additionally,  43  percent  of 
complaints  were  identity  theft  related, 
up  1  percent  from  the  previous  year. 

But  the  number  of  ID  theft  complaints 
jumped  from  220,000  to  380,000. 

(That  number's  not  likely  to  come  down 
in  2003,  either.  As  this  story  went  to 
press,  news  broke  that  hackers  made 
off  with  approximately  5.6  million  Visa 
and  MasterCard  numbers.) 

Of  course,  much  of  this  fraud  comes 
through  spam.  The  reason  online  fraud 
has  taken  off  is  the  same  reason  spam 
marketing  has-with  distribution  costs 
near  zero,  the  perpetrator  can  easily 
increase  the  volume  of  attempted 
scams  and  the  odds  that  someone 
out  there  will  respond. 

In  general,  spam  is  becoming  a 
security  team’s  burden,  and  security 
vendors  have  responded  with  all  man¬ 
ner  of  appliances  and  architectures  to 
filter  the  junk.  None  seems  to  work 
particularly  well;  or,  put  another  way, 
none  seems  to  keep  up  with  the  tricks 
of  the  fraud  trade.  Just  look  at  the 
skyrocketing  FTC  numbers. 

Now,  if  you'll  excuse  me,  I  have  to 
go  apply  for  a  free  diploma. 

-Scott  Berinato 


Who’s  Afraid? 


ILLUSTRATIONS  BY  LEO  ESPINOSA 
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A  Call  to  Inaction 


CYBERSECURITY  In  February,  President  Bush  released  his  much  anticipated 
National  Strategy  to  Secure  Cyberspace.  The  report  contains  dire  warnings  about  the 
threat  posed  by  cyberterrorism,  but  Bush’s  National  Strategy  has  a  hands-off  approach, 
essentially  asking  the  private  sector  to  police  and  solve  its  own  security  problems. 

“In  general,  the  private  sector  is  best  equipped  and  structured  to  respond  to  an  evolv¬ 
ing  cyberthreat,”  the  report  states.  “A  federal  role  is  only  justified  when  the  benefits  of 
intervention  outweigh  the  associated  costs.”  However,  the  Bush  administration  did  con¬ 
fess  that  the  government  needs  to  get  its  own  IT  house  in  order. 

One  of  the  challenges  facing  the  Bush  plan  is  the  government’s  well-documented 
inability  to  adequately  manage  its  IT  resources.  (See  “Liability  Limits,”  Wonk,  February 
2003.)  In  December,  a  General  Accounting  Office  report  reiterated  many  of  the  same 
charges  in  light  of  the  new  focus  on  domestic  security.  The  report  identified  $2.9  billion 
in  IT  funding  for  homeland  security  but  found  that  many  of  the  agencies  slated  to  receive 
the  most  funding  were  still  struggling  to  resolve  significant  IT  management  issues. 

Without  properly  addressing  those  issues,  including  a  GAO  request  for  agencies  to 
develop  better  blueprints  to  guide  IT  purchasing  and  manage  IT  investments,  the  gov¬ 
ernment’s  efforts  to  secure  cyberspace— including  those  in  the  new  Department  of 
Homeland  Security— could  fall  victim  to  lingering  information  security  problems. 

-Paul  Roberts 


Stick  It  to ’Em 


HACKERS  Have  you  ever  fantasized  about 
catching  a  hacker  in  action?  What  a  sweet 
moment  it  would  be.  Your  network  could 
snare  interlopers  like  a  spider’s  web,  allowing 
you  to  swoop  in  and  neutralize  the  intruder 
without  him  even  knowing  what  happened. 
Well,  thanks  to  Julie  Huff,  a 
systems  architect  at 
Northrop  Grumman 
Information  Technol¬ 
ogy,  your  fantasy  is  no 
longer  the  ultimate  CSO 
dream.  In  June,  Huff  and 
two  colleagues  received  a 
patent  for  a  platform 
designed  to  allow  com¬ 
panies  to  take  an  offen¬ 
sive  approach  to 
intrusion  response.  The 
platform,  called  Security 
Kinetix,  is  designed  around  “agents”  that 
watch  over  individual  computer  or  network 
nodes  and  can  defend  the  node  or  spy  on  a 
hacker,  depending  on  what  the  network 
administrator  wants.  Huff’s  system  doesn’t  go 
after  hackers  itself,  but  clients  can  customize 
the  agent  architecture  to  build  whatever  sort 


m 


of  counterattack  they  want. 

"Response  is  what  the  owner  of  a  particular 
system  defines  response  to  be,”  Huff  says. 

“No  one  can  predict  what  hackers  will  come 
up  with,  but  we  wanted  to  give  people  a  tool 
to  help  them  fight  back.” 

Most  intrusion  detection  prod¬ 
ucts  don’t  allow  companies 
to  be  flexible  in  their  re¬ 
sponses.  A  company  may 
not  want  to  shut  users  out 
of  the  system  if  they  fail 
the  password  three  times 
in  a  row,  but  a  lot  of  prod¬ 
ucts  will  cut  them  off, 

Huff  says.  If  you’re  in  the 
military  and  you  have 
computers  in  remote 
areas,  you  need  to  be  able 
to  respond  to  anomalies 
quickly,  perhaps  by  cutting  stolen  computers 
off  from  the  network  or  shutting  down  remote 
nodes  that  are  being  scanned  by  hackers. 

"We  haven’t  designed  the  system  to  shoot 
magic  firebolts  through  a  firewall,  but  if  that’s 
what  you  need,  we’ll  help  you  build  it,"  Huff 
says.  -Simone  Kaplan 
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The  Ripple  Effect 


EUROPEAN  SPENDING 


Despite  the  proliferation  of  cameras  on 
street  posts  to  monitor  pedestrians  and 
traffic  in  European  cities,  a  recent  IDC 
study  shows  that  security  investments  in 
the  United  States  are  four  times  as  high  as 
they  are  in  Europe.  But  that  is  changing. 
Security  was  recently  cited  as  the  number- 
one  concern  of  IT  professionals  in  Europe. 

France,  Italy  and  Germany  expect  the 
highest  increases  in  security  spending  this 
year— 41  percent,  33  percent  and  33  per¬ 
cent,  respectively.  European  industries  will 
increase  security  budgets,  citing  the 
increasing  complexity  of  risk  management. 
Government  agencies  will  increase  security 
spending  by  41  percent  in  2003,  utilities  will 
increase  by  36  percent,  and  banking  and 
finance  follow  with  a  34  percent  increase. 

Carla  Arend,  an  analyst  at  IDC  (a  sister 
company  to  CSO’s  publisher),  reports  that 
security  investments  are  gaining  traction  in 
Europe.  In  general,  European  corporations 
are  adopting  the  same  trends  as  those  in  the 
United  States,  but  they’re  approaching 
security  with  a  different  intensity  and  focus. 
Currently,  regulation  and  Internet  usage  are 
the  main  drivers  for  security  in  Europe. 
European  corporations  are  concentrating  on 
improving  mobile  security— employees  are 
demanding  access  to  corporate  information 
anytime,  anywhere.  -Kathleen  Carr 


Security  adoption 
in  Europe 


Antivirus 


99% 


Firewall  software 


Hardware-based  firewalls 


■■■  69% 


Encryption 


Monitoring  employee  Internet  and  e-mail  use 


Intrusion  detection 

■■146% 


Biometrics 

I  6% 


SOURCE:  IDC'S  “EUROPEAN  SECURITY  PRODUCTS  & 
STRATEGIES  SERVICE”  AND  “BUILDING  SECURE  ENVI- 
RONMENTS-EUROPEAN  CORPORATE  INFRASTRUCTURE 
SURVEY.  2002.”  RESPONDENTS:  419  CIOS  AND  OTHER 
INDIVIDUALS  RESPONSIBLE  FOR  I.T. 
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With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you 
manage  your  organization's  security  posture. 


neuSECURE:::  threat  management  process 


Knowledge 


Centralize 

Correlate 


Analyze  Investigate 

Prioritize  Respond 


Report 

Remember 


neuSECURE  is  a  central  monitoring  system 
for  log  aggregation,  event  correlation,  threat 
analysis,  threat  response  and  forensic 
investigation  of  security  event  data  from 
firewalls,  IDS’,  hosts  and  routers.  neuSECURE 
facilitates  real-time  attack  detection  and 
response,  and  generates  a  wide  range  of 
reporting  options  for  operations,  management 
and  audit  compliance. 


security  data  relevancy,  call  1-888-599-8297  or 
visit  www.guarded.net/logdataoverload.html. 


Transforming  Security  Data  Into  Knowledge 


Firewalls 

IDS 

■1 

Routers 

Op  Systems 

J 

Applications 

Others 

Don't  Get  Too  Attached 

WIRELESS  You’ll  soon  have  more  wireless  security  options.  However, 
security  concerns  over  wireless  local  area  networks  will  dissuade  many  of 
you.  According  to  analyst  Michael  Rasmussen  at  Giga,  many  large  companies 
will  wait  for  encryption  and  authentication  standards  before  deploying  wire¬ 
less.  “Wireless  is  growing  at  a  strong  rate,  but  it  is  being  held  back  by  secu¬ 
rity,”  he  says.  “The  growth  rate  would  be  two  to  three  times  [the  rate  shown 
below]  if  we  had  a  solid  security  framework  for  it.” 

IDC  estimates  a  71  percent  increase  in  the  compound  annual  growth  rate 
for  mobile  and  wireless  software  revenue  for  the  software  security  market. 


Wireless  market  growth  by  2007 


SOURCE:  "MOBILE  SECURITY  SOFTWARE  WORLDWIDE  FORECAST  AND  ANALYSIS,  2002-2007,"  A  FEBRUARY  2003 
REPORT  BY  IDC  (A  SISTER  COMPANY  TO  CSO’S  PUBLISHER) 


“When  if;  conics 
ta  privacy,  I  m  scared 
ot  corporate  action, 

and  l  m  scared  ot . 
government  inaction. 


-LOGAN  ROOTS,  COMPUTER  PROGRAMMER 
(SEE  “PRIVATE  LIFE,”  DEBRIEFING,  PAGE  64) 
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May  I  Secure  the 
Envelope  Please? 


PRIVACY  Greg  Garrison  is  the  keeper  of  the 
juiciest  secret  in  Hollywood— the  identities  of 
the  Oscar  winners.  As  the  lead  ballot  partner  for 
PricewaterhouseCoopers  (PWC)  in  Los  Angeles, 
Garrison  commandeers  a  group  of  accountants 
that  tabulates  the  Oscar  nominations  and  pre¬ 
serves  the  security  of  the  results  until  each  enve¬ 
lope  is  unsealed  on  stage.  It’s  a  process  that  has 
remained  low-tech  and  unchanged  for  70  years. 

At  an  undisclosed  location,  Garrison  and  his 
team  of  four  to  five  accountants  sift  through  the 
5,700-odd  ballots  to  determine  the  winners.  The 
ballots  are  divided  among  the  team  members 
so  that  no  one,  other  than  Garrison  and  his  part¬ 
ner,  knows  the  identities  of  the  winners.  Scoffing 
at  computer  systems,  which  could  be  tempting 
targets  to  hackers,  PWC  guards  the  final  tabula¬ 
tions  and  ballots  the  old-fashioned  way— in  a 
safe.  The  final  tallies  are  completed  on  the 
Friday  before  the  Sunday  telecast,  and  Garrison 
and  his  partner  place  each  winner’s  name  in  an 
envelope  and  seal  it  personally— preparing  two 
identical  sets  of  envelopes  in  case  something 
happens  to  one.  The  accountants  carry  the  sets 
separately  to  the  ceremony,  escorted  by  armed 
guards  via  different,  secret  routes.  At  the  awards, 
Garrison  and  his  partner  hand  the  envelopes  to 
the  presenters  as  they  step  on  stage. 

Are  all  these  elaborate  machinations  neces¬ 
sary  for  Oscar’s  security?  Garrison  believes  so. 
After  all,  in  Hollywood  everyone’s  got  an  angle. 
You  never  know  when  you’re  going  to  be 
accosted  by  a  persuasive  diva  who  will  try  to 
charm  the  identity  of  the  best  actor  winner  out 
of  you— as  Julia  Roberts  tried  to  do  to  Garrison 
last  year.  ‘You  know  a  secret  that  everybody 
would  like  to  know,”  says  Garrison.  But  other 
than  that,  it’s  pretty  much  your  usual  account¬ 
ing  audit— except  the  after-parties  are  better. 

-Daintry  Duffy 


What  is  the  key  to  securing  your  customers  trust? 


The  VeriSign  Secure  Site  Seal.  Voted  the  #1  sign  of  trust  on  the  Internet 


Whether  you  are  building  an  e-commerce  Web  site  or  securing  internal  networks,  communicate  the  integrity  of  your  company  and  the 
security  of  your  servers  by  posting  the  VeriSign®  Secure  Site  Seal.  Recognized  as  a  symbol  of  security  and  legitimacy,  the  Secure  Site  Seal 
is  a  leading  sign  of  trust  on  the  Internet.  To  get  a  free  copy  of  the  guide  "Securing  Your  Web  Site  For  Business",  please  call  1-866-893-6565 
option  3,  or  visit  www.verisign.com/dm/freeguide/068/ 


■  WEB  PRESENCE  SERVICES 


eriSign 

The  Value  of  Trust" 


■  TELECOMMUNICATION  SERVICES  ■  SECURITY  SERVICES  ■  PAYMENT  SERVICES  iSE 


^heskm/Studio  Archetype  Study  ©  2002  VeriSign.  Inc  All  nghts  reserved  VeriSign.  the  VeriSign  logo,  The  Value  of  Trust,  and  other  trademarks,  service  marks,  and  logos  are  registered  or  unregistered  trademarks  of  VenSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries 


Taking  the 
Internet 
by  Storm 

INTERVIEW  The  sudden  emergence 
in  January  of  the  Slammer  worm  called 
attention  to  the  vital  role  played  by  Internet 
monitoring  services  such  as  the  Internet 
Storm  Center  (ISC)  at  The  SANS  Institute. 

As  the  worm  spread  across  the  Internet 
on  Jan.  25,  the  ISC's  website  tracked  the 
developing  attack— measured  by  an  increase 
in  traffic— in  close  to  real-time. 

The  ISC’s  intrusion  detection  system 
is  the  brainchild  of  Johannes  Ullrich,  who, 
as  the  CTO  for  the  Internet  Storm  Center, 
manages  the  system  from  his  home  in 
Quincy,  Mass. 

He  recently  spoke  with  CSO  about  the 
Slammer  outbreak  and  the  role  of  monitor¬ 
ing  organizations  to  prevent  or  mitigate 
future  outbreaks. 

CSO:  How  do  you  operate  the  Internet  Storm 
Center? 

Johannes  Ullrich:  We  collect  firewall  and 
intrusion  detection  system  logs  from  every¬ 
one— from  home  users  to  universities  and 
enterprises  with  midsize  networks. 

Then,  we  gather  reports  from  our  mem¬ 
bers,  which  have  been  batched  and  sent  to 
us  via  e-mail,  typically  once  an  hour.  We 
dump  all  the  data  we  receive  into  a  database 
and  run  queries  to  spot  new  trends. 

Why  is  the  Internet  Storm  Center  valuable  to 
CSOs? 

CSOs  can  get  the  global  background  [on 
Internet  threats]  and  identify  those  particular 
threats  that  specifically  target  their  networks. 

But  not  all  the  information  we  provide 
is  on  attacks.  The  ISC  gives  CSOs  a  glimpse 
of  how  the  world  sees  their  networks.  For 
example,  it  would  be  good  to  know  if  you  had 
any  rogue  clients  on  your  system.  If  you  hap¬ 
pen  to  have  a  large,  diverse  network,  those 
are  things  you  can’t  control  that  well.  The 
Internet  Storm  Center  is  one  way  to  keep 
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CHIEF  TECHNOLOGY  OFFICER  OF  THE  INTERNET  STORM  CENTER  AT  THE  SANS  INSTITUTE 


track  of  what's  going  on.  Our  submitters  get 
a  daily  summary  of  their  reports  that  tell 
them  what  ports  were  attacked  and  what 
hosts  were  hit. 

For  each  source  of  attack,  we  list  how 
many  other  companies  are  targeted  from 
the  same  source.  That  helps  you  determine 
whether  your  business  is  getting  targeted. 

How  many  organizations  report  to  the  ISC? 

We  have  about  41,000  participants 
registered.  About  2,000  of  those  submit 
regularly. 

Sixty  percent  of  our  participants  are 
outside  the  United  States— located  mostly 
in  Europe.  We  receive  between  5  million  to 
10  million  submissions  every  day. 

The  recent  outbreak  of  Slammer  was  one 
of  the  fastest  worms  in  the  history  of  the 
Internet.  What  did  it  look  like  from  where 
you  were  sitting? 

Slammer  hit  instantly.  Initially  there  wasn’t 
too  much  we  could  do  about  it. 

On  the  backbone  level,  ISPs  were  just 
filtering  [Slammer]  out.  Our  service  was 
somewhat  affected  by  other  outages,  so 


our  alerts  didn’t  go  out  until  Saturday 
morning  at  10. 

In  the  meantime,  I  discussed  with  my 
colleagues  what  we  should  tell  users.  We 
sent  out  an  e-mail  that  reiterated  the  need  to 
block  that  port.  Then  we  also  did  some 
research  to  pinpoint  all  the  infected  hosts 
on  the  network. 

What  was  interesting  or  unusual  about 
Slammer  from  your  perspective? 

That  the  bandwidth  went  up  within  the  first 
30  seconds,  but  that  ultimately  Slammer 
choked  itself. 

What  is  your  nightmare  outbreak? 

It’s  definitely  a  worm  attacking  a  commonly 
used  service  [for  example,  a  domain  name 
system  or  Web  HTTP],  In  general,  I'm  not 
afraid  of  a  flash  worm.  I’m  more  afraid  of 
slowly  spreading  worms  with  more  destruc¬ 
tive  payloads.  These  payloads  are  lines  of 
malicious  code  that  can  erase  hard  drives, 
steal  credit  card  programs  and  so  on.  They 
can  live  under  the  radar  for  a  long  time,  and 
it  can  be  hard  to  raise  people’s  awareness 
levels.  ■ 
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Imagine  an  intrusion  protection  system  that  actually  anticipates  a  hacker's 
behavior.  Checkmate  is  the  newest  breed  of  intrusion  protection,  and  the 
first  to  truly  combine  behavioral  and  computer  sciences.  Created  by 
nationally  recognized  experts  in  psychological  assessment  and  network 
security,  Checkmate  assesses  a  hacker's  intent  and  prevents  damage 

before  it  occurs.  For  more  information, 
visit  www.psynapsetech.com 


The  first  intrusion  protection  system  that 
can  anticipate  a  hacker's  next  move. 


NEW 


Checkmate 


The  Who,  What  and  Why  of  Washington 

Top  Billing 


Government  Knows  All 

The  feds  can  try  to  monitor  everyone,  everywhere,  but  who's  to  say 
they’ll  get  it  right?  By  Julie  Hanson 


HE  DEPARTMENT  OF  DEFENSE’S 
proposed  Total  Information  Awareness  (TIA) 
project,  a  prototype  program  designed  to  mine 
information  from  commercial  databases  and 
personal  e-mails  to  wage  war  on  terrorism,  has 
raised  concerns  among  privacy  advocates  and 
technology  experts.  Echoing 
those  worries,  Congress 
placed  a  moratorium  on  the 
project  pending  additional 
research.  But  regardless  of 
Big  Brother-type  fears,  addi¬ 
tional  questions  persist  over 
whether  today’s  technology 
is  advanced  enough  to  mine 
mountains  of  information 
and  track  terrorists  without 
generating  false  accusations. 

TIA  is  the  brainchild  of 
the  Defense  Advanced 
Research  Projects  Agency’s 
(DARPA)  Information 
Awareness  Office.  DARPA  argued  that  TIA 
isn’t  a  “supercomputer  to  snoop.”  It’s  an 
experimental  system  that’ll  use  language 
translation,  data  search  and  pattern  recogni¬ 
tion  to  ferret  out  terrorist  activity. 

Since  the  1980s,  SRA  International 
President  and  CEO  Ernst  Volgenau  has  been 
working  with  text  mining— the  reading  of 
documents  and  extraction  of  data  in  search 
of  patterns.  He  thinks  the  government  has 
some  good  ideas,  but  he  has  some  reserva¬ 
tions.  An  increasing  number  of  government 
agencies  are  turning  to  off-the-shelf  software 
to  run  many  programs,  but  much  of  this  soft¬ 
ware  is  designed  for  commercial  use— not  for 
handling  highly  classified  government  secrets. 

Volgenau  is  also  concerned  about  such  a 
large  system  generating  false  positives  or  false 
negatives  as  well  as  its  ability  to  detect  new 
patterns.  Consider  antivirus  software.  If  your 


system  is  breached  by  an  attack  pattern, 
your  antivirus  software  teaches  itself  to  detect 
it.  But  if  a  new  attack  pattern  is  developed, 
your  software  might  not  detect  it. 

While  the  process  of  data  mining  is  simple, 
says  David  Smith,  product  manager  for  data- 
mining  software  company 
Insightful,  collecting  it 
from  resources  with 
varying  structures— for 
example,  credit  card  num¬ 
bers— is  difficult.  Looking 
for  trends  in  a  database 
of  phone  calls  is  one  thing, 
but  searching  e-mails 
with  random  text  is  much 
harder,  Smith  says. 

Aside  from  the  tech¬ 
nological  challenges,  there 
are  privacy  issues.  Marc 
Rotenberg,  executive 
director  of  the  Electronic 
Privacy  Information  Center,  thinks  the  TIA 
program  “is  opposed  to  the  constitutional 
safeguards  of  the  Fourth  Amendment.” 
Rotenberg  views  safeguarding  political 
freedom  as  paramount. 

Barbara  Simons,  cochair  of  the  U.S.  Public 
Policy  Committee  of  the  Association  for 
Computing  Machinery  (ACM),  says  the 
Pentagon  has  not  been  forthcoming  with 
details  on  who  will  manage  and  have  access 
to  information  mined  by  TIA  as  well  as 
specifics  on  how  the  Pentagon  plans  to  build 
the  system.  “Whenever  there  are  large  data¬ 
bases  about  people,  there  is  a  risk  that  they 
are  going  to  be  compromised.. .and  we  don’t 
know  precisely  what  [the  Pentagon]  has  in 
mind,”  says  Simons.  Members  of  ACM  were 
so  troubled  by  TIA’s  possible  security  risks 
that  they  wrote  a  letter  to  Congress  voicing 
their  concerns.  ■ 


NEWS  FROM  INSIDE  THE  BELTWAY 

The  White  House  released  the  second 
draft  of  the  National  Strategy  to 
Secure  Cyberspace,  which  encour¬ 
ages  partnerships  between  the  public 
and  private  sector  while  avoiding  gov¬ 
ernment  security  mandates.  The  first 
draft  was  released  last  September, 
and  the  White  House  culled  input  from 
private  industry  before  releasing  the 
most  recent  document. 

President  Bush's  2004  U.S.  govern¬ 
ment  budget  asks  for  more  than 
$70  billion  in  IT  spending.  This  funding 
includes  $35  billion  toward  technolo¬ 
gies  that  will  reduce  America’s 
vulnerability  to  attacks  and  enhance 
emergency  response  systems,  and 
$36.2  billion  for  the  integration  of  the 
22  government  agencies  that  make  up 
the  Department  of  Homeland  Security. 

The  Oasis  (Organization  for  the 
Advancement  of  Structured  Information 
Standards)  interoperability  consortium 
announced  that  its  members  approved 
the  Extensible  Access  Control 
Markup  Language  (XACML)  as  an 
Oasis  open  standard.  XACML  allows 
developers  to  express  and  enforce 
policies  for  information  access  over 
the  Internet  via  Web  services. 

The  Department  of  Health  and  Human 
Services  (HHS)  released  its  final  secu¬ 
rity  standards  for  the  electronic 
transmission  of  personal  health 
information.  These  standards, 
required  through  a  provision  of  the 
Health  Insurance  Portability  and 
Accountability  Act,  contain  no  specific 
technology  recommendations  but 
instead  offer  a  series  of  security  best 
practices.  A  full  report  of  the  standards 
is  available  on  the  HHS  website 
( www.hhs.gov ).  Entities  must  comply 
with  these  new  rules  by  April  21,  2005. 


For  more  about  what's  happening  in 
Washington,  visit  our  website  at 

www.csoonline.com/wonk. 
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THE  DATA  INTEGRITY  ASSURANCE  COMPANY 


Copyright  2003.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire,  Inc. 


Your  Enterprise  Monday  10:32  A.M 


Now  you  can  know 
what,  when,  where 
and  how  data  change 
has  occurred. 


Tripwire®  assures  the  integrity  of  your  data 
and  gives  you  the  ability  to  effectively 
pinpoint  and  manage  undesired  change 
across  all  your  servers  and  network  devices. 
By  establishing  a  baseline  of  data  in  its 
known  good  state,  Tripwire  software  monitors 
and  reports  any  changes  to  that  baseline 
and  enables  rapid  discovery  and  recovery 
when  an  undesired  change  occurs. 

Maximize  System  Uptime 

■  Identify  change  quickly 

■  Enable  quick  restoration  to  a  desired  state 

■  Eliminate  risk  and  uncertainty 

Failsafe  Foundation  for  Data  Security 

■  Ensure  the  integrity  of  your  data 

■  Enable  detailed  audit  reporting 

■  Granular  visibility  and  control 


Tripwire’s  data  integrity  assurance  solutions 
are  the  only  way  to  have  100%  confidence 
that  your  systems  remain  uncompromised. 
In  the  event  of  a  change  in  state,  you’ll 
know  exactly  what,  when,  where  and 
how  change  has  occurred  so  you  can 
recover  quickly. 


For  a  FREE  30-day  fully-functional  demo 
and  copy  of  the  white  paper  “Data  Integrity 
Assurance  in  a  Layered  Security  Strategy...”, 

call  toll-free:  1 -800-TRIPWIRE  (874.7947) 
or  visit  http://cso.tripwire.com  today! 


Lower  Costs  and  Frustration 


Greatly  reduces  the  time  it  takes  to 
find  and  diagnose  problems 


TftHW 


Look  Risk  in  the  Eye 

Radianz  CSO  Lloyd  Hession  answers  readers’  questions 
about  information  technology  risks 


Q:  I  love  the  idea  of  posing  much  of  my  purchasing  and  deployment  decisions  as 
risk  equations.  Having  said  that,  I  don’t  have  the  time  or  expertise  in-house  to 
develop  those  risk  models  myself.  Where  can  I  cheat  and  filch  some  risk  models 
already  developed  that  could  apply  to  me? 

A:  The  key  is  to  keep  your  analysis  simple  and  in  terms  that  management  can 
understand.  The  problem  with  many  off-the-shelf  risk  methodologies  is  that 
they  will  require  a  significant  amount  of  tinkering  before  they  will  be  right  for 
your  particular  business.  You  may  be  able  to  fill  in  some  numbers  by  calling 
on  the  experience  and  expertise  of  your 
security  team.  Then,  if  you  have  a  good 
knowledge  of  your  environment,  you 
can  make  a  strong  case  with  some  simple 
calculations. 

An  example:  We  expended  1,000 
man-hours  and  $100,000  dealing  with 
incidents  last  year— 70  percent  of  those 
were  the  result  of  worms  that  got  into 
the  company  as  e-mail  attachments.  We 
could  have  eliminated  90  percent  of 
those  threats  by  implementing  a  tool  on 
our  mail  server  that  removes  potentially 
harmful  attachments  before  they  ever 
enter  our  network.  The  license  will  cost 
us  $25,000  per  year,  and  we  can  manage 
the  solution  with  existing  resources  for 
a  negligible  cost. 

The  risk  equations  you  are  looking  for 
in  this  situation  are  quite  simple.  Once  you  make  an  assumption  about  the 
per-hour  cost  of  a  worker,  say  $25,  you  will  have  a  very  strong  case  to  present 
to  management  for  the  purchase  of  your  mail  server  software. 

It  is  extremely  important  to  keep  logs  and  metrics  of  security-specific  issues  so 
that  you  will  have  the  information  necessary  to  analyze  your  specific  situation. 

Q:  What  are  the  current  best  practices  in  security  reporting  structures? 

A:  If  your  organization  has  a  separate  security  team,  I  have  always  felt  it’s 
important  to  keep  that  team  organizationally  separate  from  traditional  IT 
functions.  Different  organizations  have  different  reporting  structures;  but, 
ideally,  the  top  executive  responsible  for  security  should  be  a  peer  to  the  CIO. 
The  CSO  is,  after  all,  executive  management’s  subject  matter  expert  on  security. 

Security  touches  all  areas  of  the  company,  not  just  IT.  An  effective  security 
organization  will  require  a  view'  over  the  entire  organization  along  with  the 


authority  to  create  policies  and  conduct  awareness 
training  for  all  employees. 

It  is  critically  important,  though,  to  maintain  a  good 
relationship  with  the  IT  functions  in  order  to  provide 
effective  security.  That’s  where  a  security  team  can 
leverage  its  role  as  subject  matter  expert.  Act  as  a 
resource  for  systems  administrators  who  need  to  harden 
their  systems.  Educate  developers  to  develop  secure 
software.  Assist  in  the  development  of  secure  solutions 
to  enable  a  mobile  workforce.  The  key  is  to  maintain 
independence,  while  enabling— not  blocking— solutions. 
The  result  will  be  an  organization  that  recognizes 
security  as  an  integral  component  to  its  success. 

Q:  How  does  one  present  risks  in  a  concise  manner  to 
senior  executives— CIOs  and  above? 

A:  The  key  is  to  present  risk  as  a  business  decision 
requiring  action.  You  will  probably  do  more  harm  than 
good  in  attempting  to  frighten  a  budget  out  of  senior 
management  by  pointing  to  all  the  dire  consequences 
associated  with  a  particular  risk. 
Instead,  using  knowledge,  experi¬ 
ence,  published  statistics  and  even 
some  guesswork,  provide  manage¬ 
ment  with  an  assessment  of  the 
magnitude  of  the  risk  and  a  menu 
of  options  for  solving  the  problem. 
The  menu  should  include  the  cost 
and  “residual  risk”  of  each  mitigation 
strategy.  Residual  risk  is  simply  the 
risk  left  over  once  you’ve  imple¬ 
mented  your  solution. 

It  is  up  to  management  to  deter¬ 
mine  exactly  how  much  risk  the 
company  can  afford  to  accept.  It 
may  very  well  be  the  case  that  senior 
management  is  comfortable  with  a 
$100,000  exposure.  The  security 
expert  provides  value  with  his 
analysis  because  it  reduces  the  problem  to  the  type 
of  business  decision  that  management  is  used  to 
making  every  day. 

The  job  of  the  security  team  is  to  enable  intelligent 
corporate  decisions  regarding  security.  Business  is  a 
series  of  trade-offs,  and  presenting  risk  in  terms  of 
those  trade-offs  demystifies  security  decisions  and 
results  in  a  cost-effective  set  of  controls.  ■ 


*  Have  a  security  topic  to  suggest  or  an  expert  you’d  like 
to  hear  from?  Send  your  thoughts  to  Assistant  Managing 
Editor  Kathleen  Carr  at  kcarr@cxo.com.  Go  online  to  see  what 
your  peers  are  discussing  at  www.csoonline.com/counsel. 
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For  more  information  on  training  or  certification,  please  call 

1.888.333.4458 

or  visit  www.isc2.org 


Even  organizations  with  identical  security  technology  can  have  information  systems  whose  trustworthiness  isn’t 
comparable.  Skilled,  motivated  and  reliable  security  architects,  designers,  implementers,  administrators  and 
managers  make  the  difference.  Experts  whose  abilities  are  coveted,  because  as  holders  of  CISSP®  and  SSCP® 
credentials,  they’re  the  trusted  constituents  of  the  non-profit  consortium  of  industry  leaders  known  as  (ISC)2". 

(ISC)2  is  a  non-profit  consortium  of  industry  leaders  whose  charter  is  to  compile  and  maintain  the  most 
comprehensive  Common  Body  of  Knowledge  (CBK)™.  And  from  this  CBK,  develop  the  industry  standards  for 
training  and  credentialing.  Those  professionals  who  earn  CISSPs  and  SSCPs,  share  the  credibility  of  the 
internationally  recognized  Gold  StandardSM  in  information  security. 


Mistrust  Never  Sleeps 

A  healthy  suspicion  of  every  business  partner  can  pay 
dividends  for  the  CSO  By  David  H.  Holtzman 


S  I  WRITE  THIS,  THE  COUNTRY  is  deciding  whether  to  pass  or  play 
at  war.  I  live  in  the  Washington,  D.C.,  area,  where  our  nerves  are  shot.  During  the 
past  year  and  a  half  we’ve  lived  with  the  anticipation  of  terrorists,  anthrax,  then 
snipers.  We’re  back  to  terrorists  again.  Safety  has  become  a  commodity  as  tangi¬ 
ble  as  duct  tape  or  gas  masks;  it  is  the  negative  space  left  behind  when  fear  is 
erased.  Security  is  different.  It  lasts  longer.  And  it’s 
not  about  finding  a  feel-good  solution.  Security  is 
about  trust. 

The  modern  world  has  become  too  complicated 
to  navigate  solely  from  our  experiences  and  senses. 

We  have  become  reliant  on  too  many  unseen  oth¬ 
ers.  Every  time  we  eat  in  a  restaurant  without 
watching  the  food  being  prepared  in  the  kitchen, 
it’s  an  act  of  faith,  which  is  shared  by  other  diners. 

Consumer  trust  comes  from  numbers. 

Recently,  we  heard  in  the  news  that  someone 
had  hacked  8  million  Visa,  MasterCard  and  Amer¬ 
ican  Express  card  numbers.  The  break-in  occurred 
at  an  unidentified  merchant  payment  processor. 

How  did  this  middleman  acquire— let  alone  lose— 
millions  of  consumers’  intimate  data?  Customers 
trusted  the  merchant,  and  the  merchant  had  faith 
in  the  payment  processor,  or  more  likely  a  fourth 
party  that  sold  the  store  a  turnkey  solution. 

The  corporate  pressure  point  in  all  of  this  is 
often  the  unfortunate  CSO  who  is  tasked  with 
being  suspicious  of  everyone  and  everything.  At  the 
same  time,  however,  the  CSO  must  depend  on  the 

kindness  of  strangers.  Not  only  is  he  reliant  on  procedural  adherence  by  every 
employee  of  the  company,  but  he  must  operate  with  the  knowledge  that  every  new 
ware,  hard  or  soft,  could  be  stabling  a  Trojan  horse. 

The  health  of  corporate  security'  at  any  given  time  is  defined  by  the  worst  of  thou¬ 
sands  of  buying  decisions.  The  reasons  for  the  choices  are  soon  forgotten,  but  any 
vulnerability  remains  behind  until  the  gear  is  replaced. 

As  supply  chains  grow,  it  becomes  increasingly  likely  that  people  who  do  busi¬ 
ness  together  will  never  meet.  Much  of  the  value  gained  from  consultants  and 
expensive  management  hires  comes  from  their  ability  to  vouch  for  a  strange  com¬ 
pany.  Reputation  and  reliability  have  become  even  more  important  in  the  digital 
world.  Untrustworthy  employees  can  compromise  passwords;  unreliable  ven¬ 
dors  may  have  unknowingly  integrated  exploitable  mistakes;  and  undependable 
protocols  can  lull  administrators  into  a  false  sense  of  security. 


Digital  Trust 

Fifteen  minutes  with  a  packet  sniffer  or  one  hour  with 
password  Crack  will  scare  sense  into  anybody.  Most  pro¬ 
tocols  still  send  passwords  in  the  clear  (simple  mail  trans¬ 
fer  protocol  and  Wi-Fi  come  to  mind),  meaning  that 
anyone  who  has  unrestricted  access  to  a  computer  can  get 
into  the  whole  network. 

Some  services  that  provide  their  own  authentication 
are  as  guileless  as  a  kindergartner.  The  domain  name 
system  (DNS)  has  always  had  this  weakness.  There  are 
many  incidents  of  “DNS  spoofing”  and  “cache  poisoning” 
against  large  companies.  No  amount  of  money  can  pro¬ 
tect  a  company  against  this  problem  because  DNS  attacks 
hypnotize  the  audience,  not  the  victim. 

Any  technology  that  incorporates  authentication  or 
encryption  is  critically  dependent  on  trust.  Most  network 
security  schemes  rely  on  secure  sockets  layer,  but  who 

hands  out  the  server  certifi¬ 
cates  using  what  identification 
criteria?  What  happens  when 
the  certificate  is  revoked? 
The  importance  of  those  ques¬ 
tions  became  apparent  in 
March  2001,  when  Microsoft 
released  a  highly  publicized 
security  advisory  because 
VeriSign  had  issued  two  digi¬ 
tal  certificates  to  some  entity 
that  claimed  to  be  Microsoft— 
and  wasn’t.  Microsoft  created 
a  software  patch  to  invalidate 
the  bogus  credentials  because 
it  turned  out  that  Internet 
Explorer  didn’t  have  a  revo¬ 
cation  capability.  Think  about 
that  the  next  time  you  click 
“OK”  when  the  pop-up  asks  if 
you  always  want  to  trust  con¬ 
tent  from  someone. 

Practice  Security  by  Managing  Trust 

War,  if  it  occurs,  will  no  doubt  bring  new  challenges  for 
the  CSO.  There  are  too  many  well-known  soft  spots  in  the 
security  levees  of  the  IT  industry  to  believe  there  won’t  be 
breaches.  There  will  be.  The  attacks,  when  they  happen, 
will  come  from  somewhere  you  trust.  The  wise  security 
officer,  knowing  this,  will  manage  trust  by  challenging 
assumptions  and  diversifying  vulnerability.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  as  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david@globalpov.com.  Send  feedback  and 
column  ideas  to  Senior  Editor  Daintry  Duffy  at  dduffy@cxo.com. 
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Our  VPN  solutions  keep  the  people 
that  matter  connected  wherever  they  are. 


If  you  want  your  business  to  grow,  you  need  to 
provide  your  stakeholders  with  secure  and  easy 
access  to  the  corporate  network.  But  the  drive  for 
growth  should  not  be  at  the  expense  of  network 
integrity.  Nokia  is  a  recognized  leader  in  VPN 
solutions  that  not  only  provide  secure,  reliable 
and  manageable  connections  to  those  who  need 
it,  but  also  save  time  and  money  in  deployment 
and  resource  allocation. 
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The  Nokia  system  approach  fully  integrates  best- 
of-breed  VPN  software  from  Check  Point  Software 
Technologies,  with  purpose-built  platforms  that 
are  easy  to  deploy  and  fully  backed  by  global,  24/7, 
First  Call  -  Final  Resolution  support.  This  means 
you  can  grow  your  business  without  compromising 
security,  so  that  you  can  slip  away  a  little  earlier. 
Go  on,  break  free.  Visit 
www.nokia.com/get_a_life/americas 


IMOKIA 

Connecting  People 


CSO  Perspectives™ 
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Today’s  security  executives  meet  at  the  CSO  Perspectives  Conference 

BUILDING  A 
CULTURE 

SECURITY 


June  17-19, 2003 
Hotel  del  Coronado 
Coronado,  California 


Building  a  culture  of  security  involves  much  more 
than  laying  out  the  policies,  procedures  and 
processes  that  employees,  contractors  and  business 
partners  should  follow.  It’s  about  how  you  effectively 
communicate  the  need— how  you  answer  the  ques¬ 
tion  “why”— to  the  myriad  of  security  measures  that 
must  necessarily  be  in  place  in  your  organization  to 
ensure  the  safety  of  your  people,  your  physical 
assets  and  your  information  assets.  It’s  about  mak¬ 
ing  sure  everyone  understands  the  risks  and  is 
willing  to  face  up  to  the  challenges. 


TUESDAY,  JUNE  17 

3:00  pm— 5:00  pm 

Registration 

11:30  am— 5:00  pm 

Golf  Tournament 

6:30  pm— 8:30  pm 

Registration, 

Welcome  Reception  & 
Special  Presentation 


8:20  am— 9:20  am 

America’s  Place 
in  a  Global  Society 

WESLEY  K.  CLARK, 

Former  NATO 
Supreme  Allied 
Commander  &  CNN 
Military  Analyst,  author  of  Waging 
Modern  War,  and  Managing 
Director  for  Merchant  Banking  at 
Stephens  Group,  Inc. 

As  American  business  is  increasingly 


CSO  Perspectives  is  the  landmark  event  for  security 
and  IT  executives  that  helps  you  confront  these 
challenges  by  bringing  together  industry,  govern¬ 
ment  and  academic  experts  who’ve  dealt  with  the 
issues,  debated  the  policies,  and  navigated  the  maze 
of  security  considerations  that  impact  you  on  a  daily 
basis.  You'll  exchange  best  practices  with  your  peers 
and  take  home  lessons  learned  from  their  experi¬ 
ences.  What’s  more,  you’ll  have  ample  time  to  net¬ 
work,  share  ideas  and  expand  your  contacts  during 
our  golf  tournament,  networking  lunches,  receptions 
and  other  activities. 


Security  Executives 


WEDNESDAY,  JUNE  18 

7:00  am— 8:00  am 

Networking 
Breakfast 

8:00  am— 8:20  am 

Welcome 

LEW  MCCREARY, 

Editor  in  Chief, 

CSO  Magazine 

BOBBRAGDON, 

Publisher,  CSO 
Magazine 

JONATHAN 

ZITTRAIN,  Confer-  ^ 

ence  Moderator  and  -  X 

Cofounder,  The 
Berkman  Center  for 
Internet  &  Society, 

Harvard  Law  School 


sustained  by  the  global  market, 
international  political  and  military 
strategy  occupy  a  role  of  vital  signifi¬ 
cance.  Clark  has  been  on  the  front 
lines  of  the  world’s  emerging  markets, 
intimately  aware  of  the  political 
strategy  and  psychology  that  dictate 
corporate  bottom  lines.  He  applies  his 
experience  and  skills  in  strategic 
leadership,  high  technology,  training 
and  organizational  development  to 
the  challenges  facing  us  today. 

9:20  am— 10:20  am 

Creating  a  Culture  of  Security 

ROBERT  LITTLEJOHN,  Vice 
President  of  Global  Security, 

Avon 

Security  is  an  integral  piece  of  the 
business  process— it  doesn't  function 
alone.  It  is  essential  that  all  domestic 
and  international  employees  under¬ 
stand  exactly  what  to  do  in  situations 
that  involve  both  physical  and  cyber 
security.  To  build  a  culture  of  security 


the  chief  security  officer  must  take 
on  a  strategic  role  in  the  organiza¬ 
tion,  emphasize  leadership  and 
communication,  and  develop  the 
policies  and  plans  that  protect  the 
company’s  people  and  other  assets. 

10:20  am— 11:00  am 

Coffee  Break  and 
Sponsor  Exhibits 

11:00  am— 11:30  am 

Sponsor  Briefings 

11:45am— 12:15  pm 

Sponsor  Briefings 

12:15  pm— 1:45  pm 

Networking  Lunch 

2:00  pm— 2:30  pm 

Special  Session 

2:30  pm— 3:30  pm 

Governance  and 
Policy  Management 
Moderator: 

DEREK  SLATER, 

Executive  Editor, 

CSO  Magazine 
Participants:  NEIL 
JACKSON,  CISA, 

Business  Manager 
Internal  Audit,  Global  Informa¬ 
tion  Technology,  E*TRADE 
Group,  Inc. 

BILLSPERNOW, 

Cl  SO,  Georgia 
Student  Finance 
Commission 

Security  gover¬ 
nance  issues  are  a 
particularly  thorny 
topic,  as  more  executives  and 
boards  of  directors  understand  their 
responsibility  and  accountability  in 
information  security  governance. 
They  will  be  challenged  to  prove 
they  are  managing  aspects  of 
security  to  a  level  that  will  satisfy 
business  partners,  customers  and 
stakeholders— and  that  will  mini¬ 
mize  potential  litigation.  A  blue- 
ribbon  panel  discusses  governance 
issues,  who  makes  the  policies, 
what  they  look  like,  how  they  get 
made  and  how  you  enforce  them. 

3:30  pm— 4:30  pm 

Developing  an  Effective 
Framework  for  Risk  Assess¬ 
ment 

THOMAS  P. 

ARMOUR,  Program 
Manager,  Defense 
Advanced  Research 
Projects  Agency 
(DARPA) 


r 


ln  order  to  effectively  assess  your 
risks,  you  need  to  develop  a  frame¬ 
work  and  a  highly  systematic 
approach.  One  key  is  first  analyzing 
Threat,  Vulnerability  and  Conse¬ 
quences  independently,  and  then 
assess  them  altogether.  If  the  Threat 
and  the  Vulnerability  aren’t  large— 
but  the  Consequences  are  massive, 
you've  got  a  very  big  problem.  What 
are  the  trade-offs  between  institut¬ 
ing  appropriate  levels  of  security 
and  stiflingthe  business?  The 
approach,  tools  and  analytics  are 
applicable  to  both  physical  and 
cyber  security. 

4:30  pm— 5:30  pm 

The  Peer-to-Peer  Networking 
Reception 

THURSDAY,  JUNE  19 

7:00  am— 8:0Qam 

Breakfast  &  Jriformal 
Discussion  Roundtables 

8:00  am— 9:15  am 

What  Every  CSO  Should 
Know  About  Intellectual 
Property 

Moderator:  JONATHAN 
ZITTRAIN 

Panelists:  MELISER. 
BLAKESLEE,  Partner, 
McDermott,  Will  &  Emery 

JOHN  P.  PONTRELLI,  Global 
Security  Director,  W.L.  Gore& 
Associates 

LYNN  M ATTIC E,  Director  of 
Global  Security,  Boston  Scien¬ 
tific 

More  organizations  are  realizing  the 
potential  threats  of  not  safeguard¬ 
ing  their  own  intellectual  property, 
and  of  the  possible  liability  of 
misusing  others’  property,  even 
unintentionally  or  unknowingly. 
Many  are  seriously  weighing  the 
risks  of  not  implementing  digital 
rights  management  (DRM)  tech¬ 
nologies.  Our  panel  explores  recent 
trends  in  intellectual  property 
issues  and  litigation,  and  discusses 
the  impact  on  businesses  of  all 
types. 

9:15  am— 10:30  am 

Evaluating  New  Technologies 
MODERATOR: 

CHRIS  LINDQUIST, | 

Technology  Editor, 

CSO  Magazine  i 

BOBDEGAN,  EkS^I 

Senior  Vice  Presi¬ 


dent,  Corporate  Security,  First 
Data  Corp. 

COLONEL THADDEUS 
DMUCHOWSKI,  Director,  IA, 
United  States  Army 
DAVID  MACLEOD,  Ph.D., 
CISSP,  CPHIMS,  Director  of 
Security,  The  Regence  Group 
JEFFWACKER, 

EDS  Fellow,  vice 
President  &  CTO, 

EDS 

It’s  been  frequently 
said  that  security  is  a 
business  problem, 
not  a  technology  problem.  However, 
technology  does  play  a  crucial  role 
in  your  ability  to  provide  both 
physical  and  cyber  security.  Our 
expert  panelists  talk  about  what 
technologies  they  see  in  the  near 
term  that  will  have  the  most  impact 
on  the  CSO  and  CISO.  What  will 
work,  what  won’t— what  you  should 
be  afraid  of,  and  why. 

10:30  am— 11:00  am 

Coffee  Break  &  Sponsor 
Exhibits 

11:15  am— 11:45  am 

Sponsor  Briefings 

11:55  am— 12:25  pm 

Sponsor  Briefings 

12:25  pm— 2:00  pm 

Networking  Lunch 

2:15  pm— 3:30  pm 

DrillDown  Breakout  Sessions 

These  sessions  are  designed  to  give 
conference  attendees  the  opportu¬ 
nity  to  work  and  network  in  smaller 
groups,  and  discuss  specific  topics 
and  issues  in  greater  detail. 

3:45  pm— 5:00  pm 

Ethics  and  Privacy  in  Action: 
A  Scenario  Panel 
Moderator:  JONATHAN 
ZITTRAIN 
Panelists: 

DEBORAH 
WEINSTEIN,  Labor 
&  Employment  Law 
Attorney,  Eckert 
Seamans  Cherin  & 

Mellott,  LLC. 

CHRISTOPHER 
HOOFNAGLE, 

Deputy  Counsel, 

Electronic  Privacy 
Information  Center 
TERRY LENZNER, 

Chairman,  Investigative  Group 
International 


DOUGLAS  MILLER,  Executive 
Director  of  Privacy,  America 
Online 

An  action  or  policy  may  very  well  be 
legal— but  if  it  isn’t  ethical,  you  may 
be  setting  yourself  and  your  organi¬ 
zation  up  for  some  nasty  surprises 
(not  to  mention  nastier  lawsuits). 
What's  legal,  what’s  ethical— what’s 
the  difference  and  who  decides? 
What  role  does  the  corporate 
culture  play  in  ensuringthatall 
employees  consistently  adhere  to 
policies?  Our  panelists— along  with 
audience  participants— explore 
various  scenarios. 

5:00  pm— 5:15  pm 

Closing  Summary 
JONATHAN  ZITTRAIN 

5:15  pm— 6:00  pm 

Networking  Reception 

7:15  pm— 9:30  pm 

Black  Tie  Dinner  & 
Entertainment 
JIMMY  TINGLE, 

Social/political 
Commentator  & 

Humorist 

Tingle  is  regarded  as 
one  of  the  top  social 
and  political  commentators  and 
humorists  in  the  country,  uncover¬ 
ing  the  absurdities  of  modern  life 
with  an  irreverent  and  incisive  wit. 
After  two  days  of  hard  work  and 
serious  presentations,  who  among 
us  can't  use  a  good  laugh? 

Presentation  of  the  CSO 
Magazine  Compass  Awards 
BOB  BRAGDON  &  LEW 
MCCREARY 

CSO  Magazine  is  pleased  tonight  to 
recognize  several  individuals  for 
their  leadership,  innovative  thinking 
and  contributions  to  advancing 
issues,  policies  and  technologies 
that  promote  physical  and  cyber 
security. 

9:30  pm— 11:00  pm 

SPECIAL  DESSERT 
RECEPTION 


CSO  Perspectives  is  proudly 
underwritten  by 

Microsoft 
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Thirty-two  years  of 
security  experience 
show  up  in  the 
priorities  and  practices 
of  Dennis  Treece, 
director  of  corporate 
security  at  Massport. 
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IN  THIS  STORY 

What  it's  like  to 
run  the  security 
operations  for  a 
major  U.S.  city 


From  Boston’s  Logan  Airport  to  the  city's  waterfront 
shipping  facilities,  CSO  Dennis  Treece  patrols  an 
anxious  perimeter 

By  Lew  McCreary 
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N  THAT  CRYS- 

talline  late  summer  day  in  2001,  when  the 
modern  meaning  of  “homeland  defense”  was 
being  invented  in  four  hijacked  airplanes, 
Massachusetts  Port  Authority,  or  Massport, 
the  public  agency  that  runs  Boston’s  Logan 
International  Airport  and  other  port  facilities, 
was  widely  regarded  as  a  patronage-riddled 
dumping  ground  for  political  burnouts.  That 
this  fact  was  once  deemed  harmless  is  a  relic 
of  more  innocent  times. 

In  the  wake  of  9/11,  a  commission  impan¬ 
eled  by  then-acting  Massachusetts  Gov.  Jane 
Swift  recommended  a  thorough  overhaul  of 
Massport.  Included  in  the  list  of  action  items 
was  the  creation  of  an  executive  security  posi¬ 
tion— someone  who  would  oversee  all  security 
strategy  and  decision  making  across  the 
numerous  functional  units  with  operational 
authority  for  the  various  aviation,  maritime 
and  port  infrastructures  that  fall  under  Mass- 
port’s  control. 

The  aftermath  of  9/11  was  not  pretty.  You 
could  make  a  case  (and  many  did)  that  Logan 
was  really  no  worse  than  any  other  big,  busy 


airport  when  it  came  to  security.  But  whether 
things  that  should  have  been  foreseen  were 
missed,  whether  procedures  that  should  have 
been  followed  were  disregarded,  Boston  still 
wore  the  stain  of  what  happened.  If  you  lived 
in  the  region,  you  watched  the  unseemly 
finger-pointing  play  out  in  the  papers  and  on 
the  local  news.  And  even  though  Dennis 
Treece,  now  Massport ’s  director  of  corporate 
security,  was  then  working  in  Atlanta  for 
Internet  Security  Systems  (ISS),  he  believes 
that  the  stain  is  part  of  a  working  reality  that 
brings  an  ultra  level  of  seriousness  to  the  secu¬ 
rity  mission. 

“There  isn’t  a  Massport  employee  who 
doesn’t  remember  what  it  was  like  to  be  here 
on  9/11,”  says  Treece.  “That  was  an  emotional 
lesson  that  will  never  be  forgotten.” 

With  some  fanfare,  Treece  was  recruited 
in  a  national  search.  (And  proving  that  noth¬ 
ing  lies  beyond  the  scope  of  symbolic  gestures, 
the  search  firm  Russell  Reynolds  Associates,  in 
cooperation  with  Massport,  donated  the 
$66,000  placement  fee  for  Treece’s  position  to 
the  Massachusetts  9/11  Fund.)  Treece  moved 


MASSPORT  at  a  glance 

THE  MASSACHUSETTS  PORT  AUTHORITY— the  agency  better  known  as 
Massport— employs  1,100  people  and  has  operating  revenue  of  $300  million. 

The  private  companies— airlines,  restaurants,  hotels  and  so  on— that  work  in 
Massport's  space  employ  more  than  20,000  people  and  generate  more  than 
$8  billion  in  annual  revenue: 


Logan  International  Airport  is  the  nation's  18th  busiest  airport,  based  on 
passenger  numbers. 

Worcester  Regional  Airport  serves  central  Massachusetts. 

Tobin  Memorial  Bridge  is  Boston's  major  link  to  points  North. 

The  Port  of  Boston  handles  more  than  a  million  tons  of  cargo  annually. 


from  Atlanta  late  last  September.  So  daunted 
is  he— like  many  transplants  to  Boston— by 
the  harebrained  local  traffic  flows,  he  averts 
the  risks  of  driving  to  work  by  instead  taking 
public  transportation.  “It’s  underground  most 
of  the  way,”  he  says.  “So,  unfortunately,  I  don’t 
get  to  memorize  any  landmarks.” 

Fanfare  for  the  Uncommon  Man 

What  Massport  gets  in  Treece  is  32  years  of 
security  experience,  much  of  it  spent  in  mili¬ 
tary  intelligence  in  such  places  as  Bosnia, 
Germany,  Kosovo  and  the  Persian  Gulf  (where 
he  regularly  briefed  Gen.  Norman  Schwarz¬ 
kopf  on  terrorist  activities  during  Operation 
Desert  Storm).  In  the  mid-1990s,  he  went  to 
work  for  the  CIA,  applying  his  experience  in 
military  theaters  to  help  the  agency  improve 
its  support  of  combat  operations.  Most 
recently,  he  spent  two  years  at  ISS  designing 
the  global  threat  operations  center  that  mon¬ 
itors  and  defends  against  attacks  on  cus¬ 
tomers’  information  networks. 

Despite  a  vivid  imagination  given  to 
thoughts  about,  say,  designing  fences  for  max¬ 
imum  blast  dispersion,  Treece  seems  cheerful, 
relaxed  and  reasonably  confident.  In  his  office 
he  has  Aaron  Copland  playing  (not,  as  it  hap¬ 
pens,  “Fanfare  for  the  Common  Man”). 

Not  surprisingly,  Treece’s  intelligence 
background  shows  up  strongly  in  his  security 
priorities  and  practices  at  Massport.  Intelli¬ 
gence  is  about  gathering  the  best  available 
information  to  support  decision  making. 
Treece’s  idea  of  good  security  is  thus  rich  in 
information  flows.  While  he  readily  agrees 
that  success  in  security  is  “a  year  in  which 
nothing  happens,”  there  still  has  to  be  enough 
data  to  bear  out  the  cause-and-effect  rela¬ 
tionship  between  nothing  happening  and 
what  you  did. 

“Successful  programs  collect  the  relevant 
metrics  for  you  to  measure  your  progress,” 
Treece  says.  “What  were  you  busy  doing?  Were 
you  busy  doing  the  right  things  or  the  wrong 
things?  I’m  in  the  process  of  implementing  a 
set  of  metrics.  We  have  to  be  able  to  brief 
others  as  to  how  we  are  spending  the  security 
dollar  here  at  Massport.”  (Although  Massport 
is  a  public  agency,  its  operations  are  funded 
solely  through  private  sources  such  as  fees, 
bridge  tolls,  rents  and  parking  revenue.  In 
other  words,  no  tax  dollars  are  harmed  during 


the  making  of  security  at  Massport.) 

While  he  concedes  that  he  has  the  last  word 
in  setting  strategy  and  direction,  his  is  a  con¬ 
sultative  approach  that  draws  on  lots  of  other 
inputs.  For  example,  to  offer  an  outside  per¬ 
spective,  Treece  has  assembled  a  security 
council  of  local  business,  political  and  aca¬ 
demic  leaders.  (Included  in  the  group  is  Sheila 
Widnall,  former  secretary  of  the  Air  Force  and 
now  a  professor  at  MIT.)  “Everyone  has  a 
voice.  The  [local]  communities  have  a  voice; 
the  employees  have  a  voice;  the  security  pro¬ 
fessionals  have  a  voice;  the  operational  lead¬ 
ers  have  a  voice;  the  board  of  directors  has  a 
voice.  And  this  security  advisory  committee 
has  a  voice,”  Treece  says.  “Everybody  has  a 
voice.  It’s  just  that  I  have  the  loudest  voice.” 

More  Than  a  Cost  Center 

Unlike  most  CSOs,  Treece  is  in  the  enviable 
position  of  serving  an  enterprise  whose  main 
product  is  security.  So  for  him,  the  agonies  of 
getting  security  issues  on  the  radar  of  top  exec¬ 
utives  isn’t  a  problem.  He  reports  directly  to 
Massport  CEO  Craig  Coy,  who  like  Treece  has 
an  armed  services  background  (Coast  Guard) 
to  go  along  with  his  Harvard  Business  School 
degree.  Treece  describes  his  relationship  with 
Coy  as  “excellent.  There’s  no  one  between 
myself  and  him— almost  physically.”  Coy’s 
office  is  two  doors  down  the  hall.  “I  have  24- 
hour  access  to  the  CEO,  total  support,”  says 
Treece.  “That  was  the  promise  that  went  with 
the  job.” 

So,  despite  the  ostensible  fear  factor  in  the 
challenges  that  face  him  at  Massport,  does 
Treece  also  see  himself  as  being  fortunate? 

“I  do.  It’s  one  of  the  reasons  I  took  this  job,” 
he  says.  “It  was  the  [right]  time  to  come  here. 
There’s  a  window  of  opportunity,  post-9/ll, 
where  security  in  the  transportation  sector  is 
on  the  top  of  the  pile.  So  this  is  a  great  time  to 
come  into  a  CSO  position.  Of  course,  it’s 
incumbent  on  me  to  make  good  use  of  that 
[opportunity]  and  not  overuse  the  position 
that  security  now  has  within  the  organization.” 

At  Massport,  security  “is  the  avowed  top 
priority,”  Treece  says.  “Given  9/11,  and  given 
the  fact  that  if  you  don’t  have  the  faith  of  the 
traveling  public,  you  don’t  have  a  traveling 
public— security  is  job  one.” 

It  has  to  be.  Little  things  are  always  hap¬ 
pening.  On  the  day  CSO  spoke  with  Treece,  a 


HOW  LOGAN  AIRPORT  IS  WORKING  TO  GET  YOUR  BAGS  WHERE 
THEY’RE  GOING-QUICKLY  AND  SAFELY 


YOU  MIGHT  THINK  that  deploying  a  state-of- 
the-art  baggage-screening  system  is  a  simple 
matter  of  plunking  down  your  $146  million  and 
watching  as  the  new  machines  are  delivered 
and  assembled.  Life  should  be  so  simple. 

"We  built  85,000  square  feet  of  new  bag 
rooms,”  says  Dennis  Treece,  director  of 
corporate  security  at  the  Massachusetts  Port 
Authority,  or  Massport,  the  public  agency  that 
runs  Boston’s  Logan  International  Airport. 

“We  renovated  55,000  square  feet  of  old  bag 
rooms  and  installed  2.8  miles  of  new  bag 
belting  in  4-foot  sections— each  section  with 
its  own  motor,  and  each  motor  going  to  a 
control  panel  run  by  a  computer  program  that 
had  to  be  designed  onsite.  Because  no  two 
bag  belts  are  the  same,  no  two  bag-belt 
systems  are  the  same,  and  each  airline  has  its 
own  unique  software.  And  everything  had  to 
match  and  merge.  We  installed  the  L3 
[screening]  machines  that  do  the  scanning  for 
explosive  devices  in  bags.  They  go  at  eight 
feet  per  minute;  the  bag  belt  goes  at  30  feet 
per  minute.  So  you’ve  got  to  have  step-down 
sections  in  speed.  The  mouth  of  the  [L3] 
machine  is  small,  so  we  had  to  figure  out  how 
we’re  gonna  make  bags  go  in  there  without 
hanging  up  and  without  putting  a  human  at 
the  mouth  to  make  it  sort  out.  We  had  to 
make  sure  that  no  bag  could  accidentally  go  from  the  unscreened  to  the  screened 
area.  So  there’s  air  gaps,  physically,  in  the  bag  room,  such  that  a  TSA  employee  has 
to  actually  take  the  bag  and  move  it  from  the  inbound  belt  to  the  outbound-to-the- 
plane  belt,  only  after  it’s  been  cleared. 

“And  all  of  this  had  to  be  done  in  the  nine  months  that  we  had  between  contract  let 
and  execution  time.  And,  oh  by  the  way,  we  really  want  to  thank  Congress  for  estab¬ 
lishing  a  deadline  in  the  middle  of  the  peak  travel  period  in  the  country.” 

The  system  went  live,  as  decreed  by  law,  on  midnight,  Dec.  31,  2002. 

“It  wasn’t  easy,”  says  Treece.  “Eight  new  power  substations  [had  to  be  added] 
because  these  L3  machines— we  have  between  30  and  40  of  them  on  station— are  like 
MRIs.  They’re  huge  power  hogs.  So  we  needed  the  new  substations  to  make  them 
work.  Just  a  lot  of  things  had  to  be  done,  and  had  to  be  done  fairly  quickly.  We  peaked 
at  800  people  onsite  on  one  day— 800  workers  [from  the  various  contractors]  doing 
all  of  the  things  necessary.  They  came  from  40  different  states  and  20  different  coun¬ 
tries.”  -L.M. 


What  did  it  take  for  Massport  to  update 
Logan  Airport’s  baggage-screening 
system  in  nine  months?  An  additional 
85,000  square  feet  in  new  baggage 
rooms,  2.8  miles  of  new  belt,  eight  new 
power  substations,  and  800  workers  from 
40  states  and  20  countries. 
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Transportation  Security  Administration  (TSA) 
employee  was  caught,  incomprehensibly, 
bringing  a  loaded  handgun  to  work  at  Logan. 
The  gun  was  detected  in  the  employee’s  coat 
during  a  routine  screening  to  which  all  work¬ 
ers  are  subjected  when  they  show  up  for  each 
shift.  The  spin  on  the  incident  was,  naturally, 
that  the  system  works.  Less  than  a  week  later, 
a  United  Airlines  flight  from  Boston  to  San 
Francisco  was  delayed  when  a  passenger 
found  a  box  cutter  in  a  seat  pocket  in  the  first- 
class  compartment.  The  passenger  reported  it 
to  a  flight  attendant  and  the  plane  was  imme¬ 
diately  emptied  and  searched,  and  the  pas¬ 
sengers  rescreened,  before  the  aircraft  was 
reboarded  and  allowed  to  depart.  No  expla¬ 
nation  for  the  presence  of  the  box  cutter  was 
found  before  the  plane  finally  pushed  back, 
but  later  it  was  learned  that  an  airline  main¬ 
tenance  worker  in  Denver  was  the  source 
(raising  questions  about  a  possible  gap  in  air¬ 
port  security  involving  ground  personnel). 

Treece  believes  that  the  traveling  public  is 
prepared  to  endure  a  reasonable  level  of 
inconvenience  in  exchange  for  greater  confi¬ 
dence  in  the  travel  experience.  But  how  much 
will  travelers  be  willing  to  put  up  with  before 
convenience  and  service  degrade  unaccept¬ 
ably?  In  other  words,  as  in  every  other  security 
context,  how  much  is  enough  versus  too 
much?  And— also  as  in  eveiy  other  security 
context— mitigation  of  the  impact  of  security 
measures  on  productivity  (or,  in  this  case,  the 
customer  experience)  is  paramount. 

He  offers  the  example  of  Logan’s  new 
$146  million,  federally  mandated  baggage¬ 
screening  system  (see  “Carrying  a  Lot  of  Bag¬ 
gage,”  Page  31).  “Because  of  the  way  Logan  is 
laid  out,  we  had  no  lobby  space  in  which  to  put 
these  [new  X-ray]  machines.  And  we  did  not 
want  the  traveling  public  to  have  an  impact 
from  100  percent  baggage  screening.  So  every¬ 
thing  is  in  the  basement;  everything’s  inline,” 
he  says.  “It  still  takes  four  to  five  minutes  for 
your  bag  to  get  from  check-in  to  the  plane. 
And  this  includes  going  through  the  [X-ray] 
machine.  There’s  a  little  bit  of  extra  time  if 
the  machine  can’t  clear  a  bag  and  the  TSA 
has  to  physically  get  into  it.  But  we’re  not 
experiencing  any  late  push-backs,  and  no  bags 
are  missing  their  flights  because  of  this  added 
security.  There’s  plenty  of  time  within  the  tra¬ 
ditional  window  of  arriving  an  hour  before 


your  flight  in  order  to  make  that  happen.” 

But  customer  convenience  is  no  longer  the 
only,  or  even  the  prime,  directive.  At  Logan 
and  elsewhere  in  town— the  Tobin  Memorial 
Bridge,  the  Conley  Container  Terminal  in 
South  Boston,  Hanscom  Field  in  nearby 
Lexington  and  Worcester  Regional  Airport- 
security  is  Massport’s  main  deliverable. 

“Remember  that  the  nation  is  at  yellow 
alert.  [Editor’s  note:  At  the  time  of  the  inter¬ 
view,  Homeland  Security’s  advisory  system 
was  at  the  yellow  level,  indicating  “significant 
risk”  of  terrorist  attack.]  And  yellow  alert 
means  that  there’s  a  significant  chance  of  ter¬ 
rorism  from  those  who  have  declared  war 
against  our  civilization,”  says  Treece.  “So  we 
have  in  place  today  what  we  call  yellow  plus.’ 
We’ve  done  more  [at  Logan]  than  we  think  is 
absolutely  necessary.  And  the  reason  for  that 
is  that  we  do  not  expect  to  get  actionable  intel¬ 
ligence  telling  us  that  the  threat  will  increase.” 

Getting  Ahead  of  the  Curve 

In  fact,  one  of  Treece’s  laments  about  the 
homeland  defense  effort  to  date  is  that  there 
have  been  no  effective  mechanisms  developed 
to  get  meaningful  intelligence  out  to  people 
who  could  put  it  to  good  use.  “We’ve  got  to  fig¬ 
ure  out  how  to  get  U.S.  intelligence  into  the 
hands  of  first  responders,  including  guys  like 
me  who  have  to  develop  plans  and  procedures 
based  on  the  magnitude  of  the  threat,”  he  says. 
“If  you  can’t  tell  me  what  the  magnitude  of  the 
threat  is,  don’t  expect  me  to  be  on  top  of  it; 
expect  me  to  be  reactive.  And  I  hate  being 
reactive.  I  want  to  be  proactive.  I  want  to  get 
ahead  of  the  curve.” 

To  that  end,  he  stays  in  touch  with  former 
colleagues  in  the  intelligence  community— 
though  there  are  strict  limits  to  what  they  can 
share  with  him  because  he  lacks  an  intelli¬ 
gence  clearance.  (That  may  soon  be  remedied. 
Treece  has  applied  for  a  clearance,  through  the 
TSA  as  his  sponsor,  which  he  expects  will  be 
granted.) 

Still,  even  given  his  background  (or  maybe 
because  of  it),  Treece  thinks  that  intelligence 
can  be  overrated.  “I’m  not  convinced  that  the 
United  States  has  all  the  information  that  we 
need,”  he  says.  “These  are  the  most  difficult 
types  of  intelligence  operations  you  can 
[attempt].  Penetrating  al-Qaida’s  got  to  be 
next  to  impossible.” 
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Everyone  has  a 
voice.  The  loca 
communities  have  a 
voice;  the  employees 
have  a  voice;  the 
security  professionals 
have  a  voice;  the 
operational  leaders 
nave  a  vo  ce. 
Everybody  has  a 
voice.  It’s  just  that 
I  have  the  oudest 
voice.” 


-DENNIS  TREECE 
DIRECTOR  OF  CORPORATE  SECURITY 

MASSPORT 
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Lacking  reliable  intelligence,  you  use  your 
imagination.  “These  [terrorists]  do  not  give 
you  any  warning.  These  people  strike.  And 
we’re  doing  everything  we  can  to  anticipate 
the  next  type  of  attack,”  says  Treece.  “The 
more  difficult  we  make  it  to  steal  an  airplane 
and  use  it  as  a  missile,  the  less  likely  that 
becomes.  So  what’s  next?  I  spend  an  awful  lot 
of  my  time  thinking  about  that  and  then 
developing  security  around  those  [potential] 
things.” 

Along  those  lines,  Treece  thinks  about  the 
airport  of  the  future.  Notwithstanding  an 
ambitious  and  expensive  upgrade  that  Logan 
is  in  fact  still  undergoing,  the  whiteboard  in 
Treece’s  office  has  a  sketch  of  some  big  ideas 
for  a  safer,  more  efficient  air  travel  environ¬ 
ment. 

The  sketch  shows  graduated  transitions 
from  purely  public  (and  less  secure)  spaces 
and  structures  leading  inward  to  those  that  are 
stringently  controlled  and  sequestered.  High 
dirt  embankments  rise  between  roadways  and 
would  deflect  the  force  of  a  car  bomb.  Drop¬ 
off  and  pickup  is  envisioned  occurring  at  the 
ends  of  long  tunnels  leading  into  and  out  of 
the  terminals.  The  terminals  themselves 
would  be  fortified  by  embankments  and 
buried  under  green  space  on  the  other  side  of 
which  “you  wouldn’t  even  hear”  a  bomb  blast. 
Treece  is  enthusiastic  about  the  need  to  bring 
architecture  and  security  together. 

“Man,  I  could  take  you  over  to  terminal  E 
and  show  you  a  beautiful  building.  I  mean,  it’s 
breathtaking.  But  there’s  just  one  thing  wrong 
with  it— it’s  made  out  of  glass,”  he  says  as  he 
shakes  his  head.  “Glass!”  Like  political  patron¬ 
age,  the  vestige  of  a  more  innocent  age. 

Life  on  the  Edge 

There  is  a  beach  at  the  edge  of  Logan  Airport. 
On  some  level,  the  very  existence  of  that  totally 
open  and  unprotected  beach  just  galls  Treece. 
It  makes  him  envision  bad  guys  in  wet  suits 
coming  out  of  the  water— the  kinds  of  people 
against  whom,  as  he  puts  it,  you  would  just 
want  to  “open  up  a  can  of  whuppass.” 

That  has  led  Massport  to  make  a  self- 
interested  alliance  with  the  clam  diggers  who 
eagerly  work  the  fertile  flats  adjacent  to 
Logan’s  runways.  For  14  months  the  clam- 
mers  were  banned.  “When  9/H  happened,” 
says  Treece,  “everybody  shut  all  the  ‘gates.’ 


And  one  of  those  gates  was  the  beach.” 

The  problem  was  that  Massport  didn’t 
know  much  about  the  clammers  because, 
before,  it  had  never  seemed  important  to 
know.  But  post-9/H,  says  Treece,  “all  things 
that  were  unknown  were  questionable,  and 
all  things  that  were  questionable  were 
stopped.”  That  greatly  displeased  the  clam 
diggers,  whose  livelihood  was  disrupted,  and 
who  waited  out  a  solution  that,  in  essence, 
turned  them  into  vendors  like  any  others  who 
service  the  airport.  “The  vendors  all  have  to 
have  fingerprint-based  criminal  history  back¬ 
ground  checks.  And  they  have  to  be  badged 
and  be  a  known  quantity,"  he  says. 

So  the  clammers  have  now  gone  through 
that  process.  In  addition  to  being  licensed  by 
the  state’s  fishery  department,  they  are  official 
known  entities  at  Logan.  They  have  badges, 
wear  special  vests  and  are  regularly  checked 
on  by  security  guards.  In  addition,  they  are 
extra  eyes  and  ears  at  the  edge  of  the  airport 
property. 

“And  we  appreciate  that,”  says  Treece  of 
the  clammers  (who  now,  after  their  14-month 
hiatus,  are  digging  up  a  record  harvest  from 
the  long-neglected  flats).  “The  [nearby] 
Winthrop  Yacht  Club  is  in  the  same  position 
to  help  us,  and  we’re  working  to  make  sure 
that  they  know  what  number  to  call  if  they  see 
something  out  of  the  ordinary.  Because  these 
are  the  people  who  know  everything  that  is 
ordinary  [on  the  waterfront  scene],  whereas 
we  don’t.  So  we’re  happy  to  be  associated  with 
good  Americans  out  there  protecting  our 
flank.” 

The  beach  forms  one  part  of  Treece’s 
perimeter.  Massport’s  computer  networks 
form  another.  “My  perimeter  is  my  perimeter,” 
he  says.  “My  background  has  been  in  all  of 
the  security  fields  that  exist.  It’s  all  pretty 
much  important  to  me.  And  there’s  nothing 
more  important  to  me  than  our  information 
technology  network  because  it  touches  every¬ 
thing.  It  hits  every  one  of  my  strategic  focus 
areas— and  in  a  big  way.”  Treece  works  hap¬ 
pily  with  Massport’s  Director  of  IT  Francis 
Anglin,  whom  Treece  credits  with  being  very 
savvy  about  security.  The  network  at  Massport 
is  old  but  ironclad. 

“We  hired  a  firm  to  try  to  hack  into  our 
network.  They  were  unsuccessful.  We  have  a 
private  network  that’s  not  addressable  from 


Boston  area  clam  diggers  are  seen  at  low  tide 
along  the  shoreline  around  Boston’s  Logan 
International  Airport.  The  area  near  the  airport 
was  eventually  reopened  to  clammers  after  the 
Sept.  11  attacks. 


the  Internet.  You  have  to  come  through  a  spe¬ 
cial  server— a  network  address  table,  a  NAT 
server— to  get  to  our  network,”  he  says.  “Those 
[servers]  are  tightly  controlled,  and  they  are 
the  only  things  that  touch  the  network  (those 
and  the  public  Web  servers  we  use).  So  we 
conduct  our  business  just  fine,  and  maybe 
we’re  not  hackerproof,  but  the  company  we 
hired  spent  25  hours  trying  to  hack  into  our 
systems  and  couldn’t  do  it.” 

Among  the  things  Treece  wants  from  tech¬ 
nology  is  more  data  on  the  variability  of  threat 
levels  across  those  focus  areas.  He’s  in  the 
midst  of  developing  a  system  that  aims  to  syn¬ 
thesize  various  data  points  into  a  real-time, 
rolling  assessment  of  risk— something  that 
could  express  threat  as  a  numerical  variable. 
Once  again,  he  turns  to  the  detested  beach. 

“The  beach  is  a  vulnerability,”  says  Treece. 
“I  have  a  list  of  the  types  of  threats  that  can 
exploit  the  beach.  There’s  a  numerical  value 
for  each  of  these  based  on,  say,  the  destructive 
power  of  a  sniper  coming  out  of  the  water,  as 
opposed  to,  you  know,  a  streaker.”  Risk  equals 
the  destructive  power  of  an  event  multiplied 
by  the  likelihood  of  its  occurrence,  he  says. 
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“So  at  the  end  of  the  day,  the  residual  risk  of 
that  open  beach  will  have  a  defined  value 
based  on  the  best  judgment  I  can  give  it  along 
with  my  team.” 

And  would  he  be  able  to  take  certain 
actions  guided  by  fluctuations  in  those  defined 
values?  Sure,  he  says,  “it  could  cause  us  to 
raise  the  color  level  from  yellow  to  orange, 
based  on  our  new  calculations,  without  the 
state  telling  us  to  do  that.  We  might  even  want 
to  tell  the  state  that  we  think  we  ought  to  go 
to  orange,  and  here  are  the  reasons.” 

High-Touch  Strategies 

But  numerical  variables,  no  matter  how  pre¬ 
cise,  take  you  only  so  far.  Security  ultimately 
comes  down  to  human  strategies.  Take,  for 
example,  the  work  of  Israeli  security  consult¬ 
ant  Rafi  Ron,  who  recently  trained  members 
of  the  Massachusetts  State  Police  in  tech¬ 
niques  pioneered  by  the  Israeli  national  air¬ 
line,  El  Al.  No  technologies  are  required— no 
sensors  or  X-rays  or  metal  detectors— only 
the  power  of  observation  applied  to  human 
behavior.  It’s  behavioral  pattern  recognition 
joined  with  a  purposeful,  but  deceptively 
casual,  interview  technique. 

The  method,  says  Treece,  “is  based  on  the 
premise  that  anybody  who’s  about  to  [commit 
a  crime]  is  not  acting  like  everybody  else.”  A 
state  trooper  who  observes  someone  acting 
unlike  everybody  else  approaches  the  subject 


and  initiates  a  conversation.  “It  might  start 
off,  ‘Cold  day,  isn’t  it?’  Very  casual,  just  to  see 
the  response,”  he  says.  “What’s  the  body  lan¬ 
guage?  Is  the  person  starting  to  stammer  and 
stutter  and  sweat?  What  about  the  eyes?  Are 
they  dilated?  All  these  little  manifestations  of 
nervous  behavior.” 

Treece  notes  that  some  people  are  simply 
nervous  flying  or  are  nervous  whenever  they 
talk  to  a  cop.  But  Ron  says  that  the  technique’s 
goal  is  to  begin  with  an  assumption  that 
there’s  a  reasonable  explanation  for  the 
observed  behavior  and  to  find  out  what  it  is. 
“During  the  course  of  the  interview,”  says 
Treece,  “the  focus  is  on  ‘Why  are  you  here?’ 
Even  though  it’s  a  public  place,  [an  airport 
is]  a  potentially  dangerous  public  place....  In 
the  course  of  the  interview  process,  very 
quickly,  the  [trooper]  can  determine  if  there’s 
something  unusual  going  on.  As  the  interview 
progresses,  it  becomes  more  and  more  of  a 
law  enforcement  matter.  And  sometimes  it 
has  resulted  in  an  arrest— if  not  by  the  state 
police,  then  by  the  Immigration  and  Natural¬ 
ization  Service,  for  instance. 

“It’s  a  great  system.  We  just  have  to  be  very 
careful. ..that  we  monitor  [its  use]  so  that  it 
doesn’t  become  viewed  as  another  racial  pro¬ 
filing  deal,”  Treece  says. 

Treece  says  that  Massport  is  compiling  sta¬ 
tistics  for  review  by  the  American  Civil  Liber¬ 
ties  Union  once  the  system’s  been  in  place  for 


a  year.  For  its  part,  the  ACLU  says  it  has  an 
open  mind  about  the  potential  value  and  fair¬ 
ness  of  the  program. 

While  it’s  the  primary  job  of  the  state  police 
at  Logan  Airport  to  look  for  suspicious  behav¬ 
ior,  the  airport’s  13,000  employees  are  also 
focused  on  security  as  an  integral  part  of  what¬ 
ever  their  jobs  might  be.  “The  employees  are 
our  first  line  of  defense,”  says  Treece.  “They  are 
literally  our  eyes  and  ears.” 

On  the  theory  that  it’s  always  better  to  catch 
people  doing  something  right  than  something 
wrong,  he  has  inaugurated  an  awards  pro¬ 
gram  to  recognize  employees  who  show  an 
exceptional  level  of  security-mindedness.  He 
gets  up  and  plucks  a  certificate,  enclosed  in  a 
dark  blue  folder,  from  the  credenza  in  his 
office.  First  Line  of  Defense  Award,  the  cer¬ 
tificate  reads.  There’s  a  scrollwork  border,  the 
Massport  logo,  an  embossed  gold-foil  medal¬ 
lion  sticker  and  a  line  for  the  recipient’s  name. 

“When  an  employee  steps  outside  their  own 
role  and  does  some  security  function,  we  rec¬ 
ognize  them,”  says  Treece.  “There’s  an  8:30 
security  meeting  every  morning  at  Logan. 
Seven  days  a  week.  Packed  house.  Has  been 
ever  since  9/11.  We  pick  a  day  convenient  to 
the  schedule  of  the  person  who  is  being  rec¬ 
ognized,  and  we  award  it  publicly.  And  a  let¬ 
ter  goes  up  through  the  chain  of  command  so 
their  boss  knows  that,  hey,  one  of  your  guys 
did  a  really  great  thing.” 

And  this  award— like  the  back-scanner  X- 
ray  unit  at  the  container  cargo  port,  or  the 
TSA  passenger  checkpoints  or  the  inline  bag¬ 
gage-screening  system  in  Logan’s  basement— 
is  also  part  of  the  security  process.  It  helps 
give  shape  to  the  small  bits  of  effort  and  cre¬ 
ates  the  sense  that  they  all  fit  together  in  an 
orderly  way  that  eventually  equals  confi¬ 
dence-confidence  that  there’s  a  chance  of 
overcoming  the  persistent  threat  of  wicked¬ 
ness  and  erasing  the  lingering  stain  of  9/11.  ■ 

Editor  in  Chief  Lew  McCreary  can  be  reached  via  e-mail 
at  mccreary@cxo.com. 


•  '  .  .  •• 

Dennis  Treece  knows  that  security  is  not  a 

one-size-fits-all  proposition.  Visit  CSOonline’s 

THREATS  &  RECOVERY  RESEARCH  CENTER 

for  resources  and  creative  solutions  to  help  solve 
your  company’s  security  problems.  Go  to 

www.csoonline.com/threats. 
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Don’t  Lose  Your 


Intellectual  property 
isn’t  always  easy 
to  identify. 

It’s  even  harder 
to  protect. 
Here’s  how  CSOs 
can  work  with  others 
to  protect  their 
companies’  future. 

By  Simone  Kaplan 


IN  THIS  STORY:  How  to  recognize  and 
protect  against  threats  to  your  company’s 
intellectual  property  ■  Understanding 
the  boundaries  of  IP  and  how  it  fits  into 
the  CSO  role 


Pity  the  CSO  .  His  worth  is  often  measured  by  what  doesn’t 

happen  on  his  watch.  And  he’s  often  asked  to  protect  things  you  can’t  see. 

If  you  think  it’s  tough  to  secure  a  building  or  a  network,  try  protecting  an  idea. 
Ideas  are  invisible;  they  have  a  habit  of  working  their  way  into  conversations— and 
not  always  with  the  people  who  should  be  hearing  them.  They  can  get  lost  or 
stolen  without  anyone  knowing  they’re  even  gone  until  your  competitor  beats  you 
to  market  with  an  innovation  you  thought  was  yours  alone. 

Yet  ideas  are  much  more  valuable  than  many  of  the  tangible  assets  a  CSO  is 
sworn  to  protect.  Intellectual  property  can  be  anything  from  a  particular  manu¬ 
facturing  process,  plans  for  a  product  launch,  a  chemical  formula  or  the  names  of 
the  countries  in  which  your  patents  are  registered.  In  short,  this  kind  of  intangi¬ 
ble  proprietary  information  can  amount  to  nothing  less  than  your  company’s  com¬ 
petitive  future. 

More  and  more,  protecting  such  assets  falls  within  the  job  description  of  the  CSO. 
However,  sometimes  intellectual  property  ranks  lower  on  a  CSO’s  priority  list 
than  other  security  concerns,  not  because  it  is  any  less  important  but  because  it’s 
just  so  hard  to  wrap  your  brain  around.  Intellectual  property  also  varies  from 
company  to  company  and  industry  to  industiy.  A  CSO  in  the  entertainment  indus¬ 
try,  for  example,  is  not  necessarily  going  to  look  at  IP  loss  and  theft  in  the  same  way 
as  a  CSO  at  a  chemical  company— so  CSOs  will  approach  protection  of  their  com¬ 
panies’  assets  differently. 

The  upside  is  that  IP  loss,  and  how  it  happens,  is  predictable.  Which  means  you 
can  act  preemptively.  But  IP  protection  requires  patience  and  tenacity.  Like  every¬ 
thing  else  in  life,  it’s  not  easy. 


ILLUSTRATION  BY  BRIAN  STAUFFER 
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Intellectual  Property 
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Understand  What  to  Protect 

Think  of  intellectual  property  as  the 
lifeblood  of  an  organization.  “If  a  company 
loses  its  assets,  it  could  die,”  says  James 
Chandler,  president  of  the  National  Intel¬ 
lectual  Property  Law  Institute.  Intellectual 
property  comprises  the  principal  assets  by 
which  a  company  is  able  to  create  its  prod¬ 
ucts  or  services.  If  those  assets  are  lost  or 
stolen,  the  company  could  lose  its  foothold 
in  the  marketplace.  In  fact,  intellectual 
property  theft  costs  U.S.  companies  about 
$300  billion  per  year,  according  to  Richard 
Isaacs,  senior  vice  president  at  The  Lubrinco 
Group,  a  risk  management  company. 

The  best  way  CSOs  can  protect  propri¬ 
etary  information  is  by  educating  themselves 
and  their  employees  about  what  their  organ¬ 
izations  hold  valuable.  If  all  employees 
understand  what  needs  to  be  protected,  they 
can  better  understand  how— and  from 
whom— to  protect  it.  To  do  that,  CSOs  must 
communicate  on  an  ongoing  basis  with  the 
executives  who  oversee  intellectual  capital. 

Meet  with  the  CEO,  COO  and  representa¬ 
tives  from  HR,  marketing,  sales,  legal  serv¬ 
ices,  production  and  R&D  at  least  once  a 
quarter,  if  not  more  often,  says  John  Pon- 
trelli,  director  of  security  at  W.L.  Gore  & 

Associates.  “You  must  work  in  concert  as  a 
group  to  adequately  protect  IP,”  he  says, 
emphasizing  that  such  communication  is 
an  ongoing  process,  not  a  onetime  event. 

Once  you  understand  your  organization’s 
products,  research  and  intellectual  capital 
base,  and  you’ve  established  a  pattern  of 
communication  with  other  departments, 
then  you’ve  formed  the  base  on  which  to 
begin  to  build  an  IP  protection  plan.  CSOs 
who  have  been  protecting  intellectual  prop¬ 
erty  for  years  recommend  doing  a  risk  vul¬ 
nerability  and  cost-benefit  analysis  at  this  ” 

point.  Make  a  map  of  your  company’s  assets,  noting  which  are  con¬ 
sidered  the  most  valuable.  Determine  what  information,  if  lost,  would 
hurt  your  company  the  most.  Then  decide  which  of  those  assets  are 
most  at  risk  of  being  stolen. 

It’s  What’s  Inside  That  Counts 

Initially,  it  may  look  like  most  of  the  threats  to  your  intellectual  prop¬ 
erty  are  external,  but  that’s  typically  not  the  case.  No  matter  what  your 
industry,  intellectual  property  is  lost  or  stolen  in  the  same  ways:  inse¬ 
cure  IT  systems,  disloyal  workers  or  social  engineering. 

Whether  careless,  clueless  or  downright  malicious,  employees  are 


To  protect  your  company’s  intellectual 
property,  you  have  to  understand  what 
is  valuable  to  your  company.  To  do 
that,  you  need  to  be  able  to  define 
intellectual  property  for  yourself. 

When  asked  to  define  IP,  most  CSOs  can’t 
really  do  it,  says  Scott  Nelson,  former  vice 
president  of  security  at  AOL  Time  Warner. 

“If  you  ask  10  companies  to  define  what  their 
intellectual  property  is,  you'll  get  the  same 
definition,  but  you’ll  also  get  10  different  ideas 
about  what’s  important  to  them,"  Nelson  says. 
“It’s  amazing— no  one  knows  for  sure.” 

According  to  the  World  Intellectual  Prop¬ 
erty  Organization,  IP  is  defined  as  creations 
of  the  mind:  inventions,  literary  and  artistic 
works,  symbols,  names,  images,  and  designs 
used  in  commerce.  At  a  more  granular  level, 

IP  includes  but  is  not  limited  to  proprietary 
formulas  and  ideas,  inventions  (products  and 
processes),  industrial  designs,  and  geographic 
indications  of  source,  as  well  as  literary  and 
artistic  works  such  as  novels,  films,  music, 
architectural  designs  and  webpages. 

In  legal  terms,  IP  generally  falls  into  four 
categories:  patents,  copyrights,  trademarks 
and  trade  secrets  (see  "I’ve  Got  a  Secret,” 

Page  40).  Intellectual  property  registered  in 
one  of  those  categories  with  state  and  federal 
agencies  is  protected  by  law,  and  if  infringed 
upon  or  otherwise  abused,  the  perpetrators 
can  be  prosecuted. 

But  IP  can  also  be  something  broader  and 
less  tangible,  like  an  idea.  If  the  head  of  your 
R&D  department  has  a  eureka  moment  during 
his  morning  shower  and  then  applies  his  new 
idea  at  work,  that’s  intellectual  property  too. 

-S.K. 


the  conduit  through  which  IP  is  most  fre¬ 
quently  compromised.  It’s  easy  for  employ¬ 
ees  to  forget  the  role  their  work  plays  in 
the  company  at  large,  and  they  don’t  always 
remember  that  discussing  a  project  at  a 
cocktail  party  can  put  the  company  at  risk. 
Business  lunches  and  plane  trips,  in  par¬ 
ticular,  are  black  holes  for  intellectual  prop¬ 
erty-employees  are  talking  to  one  person, 
while  someone  else  eavesdrops  or  takes  a 
peek  at  one  of  the  employee’s  laptop  screen. 

Many  employees  have  a  hard  time 
equating  the  importance  of  what  they  do 
with  the  long-term  value  of  the  company, 
says  Lynn  Mattice,  director  of  corporate 
security  for  Boston  Scientific’s  global  oper¬ 
ations.  “They  think  they’re  working  on  a 
tiny  part  of  a  larger  puzzle,  so  what’s  the  big 
deal  if  they  talk  about  it  at  dinner?  You 
have  to  get  them  to  understand  the  criti¬ 
cality  of  their  job,  how  it  fits  into  the  larger 
picture  and  affects  everyone  in  the  com¬ 
pany.  Personalize  it  for  them— make  them 
see  the  personal  impact  of  losing  IP.” 

Sometimes,  employees  give  away  crucial 
information  for  personal  reasons,  without 
knowing  it.  For  example,  your  industry  may 
employ  people  with  PhDs  who,  to  stay  cer¬ 
tified,  must  publish  field-related  research. 
Often  that  poses  a  problem  for  employers 
that  don’t  want  proprietary  intellectual 
property  to  become  common  knowledge. 
“We  want  them  to  publish,”  Pontrelli  says, 
“but  you  can’t  allow  them  to  talk  about 
what  they’re  working  on  because  that 
would  be  of  great  interest  to  competitors.” 


Outside  Looking  In 

Vendors  and  suppliers  are  always  curious 
about  what  a  company  is  up  to,  and  em¬ 
ployees  are  sometimes  too  willing  to  share 
that  information  with  them.  Engineers 
might  enthusiastically  explain  a  top  secret  project  to  a  supplier  just 
because  the  supplier  asked  about  a  certain  part.  You  might  work  with 
outsiders  on  a  regular  basis,  but  they  have  no  obligation  to  keep  that 
information  secret,  particularly  if  they  do  business  with  competitors. 

“There  will  always  be  people  out  there  looking  for  weaknesses  to 
exploit  so  they  can  get  your  goodies,”  says  Jeff  Uslan,  director  of  infor¬ 
mation  protection  and  security  at  Sony  Pictures  Entertainment.  Even 
with  good  software  and  constant  auditing,  any  method  by  which  your 
company  stores  or  transmits  content  has  the  potential  to  be  infil¬ 
trated.  “If  you  don’t  encrypt  your  information,  that’s  it,”  says  Uslan. 

Another  way  in  is  through  social  engineering— calls  from  people 
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posing  as  graduate  students  doing  a  research  project  or  as  ex-employ¬ 
ees  trying  to  track  down  a  former  boss.  CSOs  dub  that  kind  of  attack 
a  pretext  call,  and  even  when  employees  know  what’s  going  on,  they 
sometimes  think  they  can  handle  it  themselves.  What  they  don’t  real¬ 
ize,  says  Mattice,  is  that  they’re  dealing  with  trained  intelligence  pro¬ 
fessionals  who  use  even  tiny  bits  of  information  to  construct  a  picture 
of  what  a  company  is  doing. 

The  people  on  the  other  end  of  the  hacks,  social  engineering  pen¬ 
etrations  and  exploitations  of  employee 
knowledge  are  usually  competitors  or 
someone  hired  by  competitors.  Corporate 
espionage  and  competitive  intelligence 
probes  are  the  underground  fraternities  of 
the  business  world— knowledge  of  their 
existence  is  implicit,  but  no  one  likes  to 
talk  about  them.  They  are,  however,  a  big 
threat  to  the  security  of  your  company’s 
intellectual  property.  If  you  and  your 
employees  aren’t  on  guard,  your  rivals 
could  walk  away  with  everything  from  your 
marketing  plans  to  your  deepest  trade 
secrets.  ( CSO  will  cover  this  topic  in  greater 
depth  in  our  May  issue.) 

Of  course,  there  are  those  who  will  give 
away  IP  assets  on  purpose.  Disgruntled 
employees  walk  out  the  door,  and  despite 
having  signed  nondisclosure  agreements, 
find  their  way  to  the  competition  or  form 
their  own  companies  using  your  trade 
secrets.  It’s  important  to  understand  what 
factors  contributed  to  someone  taking  information  elsewhere,  and 
how  you  could  keep  it  from  happening  again.  “You  can’t  prevent 
everything,”  Sony  Pictures’  Uslan  says.  “But  you  can  try  to  make  sure 
that  people  see  the  consequences  of  breaking  the  rules.” 


here  will  always 
be  people  out 
there  looking 
for  weaknesses 
to  exploit  so 
they  can  get 
your  goodies.” 

-JEFF  USLAN, 

DIRECTOR  OF  INFORMATION 
PROTECTION  AND  SECURITY  AT 
SONY  PICTURES  ENTERTAINMENT 


Lessons  from  the  Field 

At  W.L.  Gore,  intellectual  property  protection  is  crucial,  and  employee 
education  lies  at  the  center  of  the  company’s  efforts.  The  company 
makes  a  chemical  polymer  that,  when  applied  to  outdoor  clothing,  pro¬ 
duces  the  revolutionary  wind  and  waterproof  product  known  as  Gore- 
Tex  that  hikers  and  climbers  treasure. 

Because  W.L.  Gore’s  business  is  built  on  such  intellectual  property, 
Pontrelli  has  created  IP  awareness  presentations  for  employees  at  each 
of  the  company’s  45  locations.  W.L.  Gore  has  many  competitors,  all 
of  whom  would  love  to  get  their  hands  on  the  company’s  proprietary 
information.  And  it’s  not  just  one  person’s  responsibility  to  protect  IP, 
he  reminds  them,  it’s  part  of  everyone’s  job.  Each  employee  is  held 
accountable  for  his  actions. 

Employees  sign  a  nondisclosure  agreement  (NDA)  when  they  join 
the  company,  and  Pontrelli  underscores  the  obligation  of  sticking  to 
that  promise.  He  lets  employees  know  how  losing  intellectual  prop¬ 
erty  hurts  the  company  at  every  level.  “We  all  rely  on  each  other  to  pro¬ 
tect  our  trade  secrets,”  he  says.  “Maintaining  the  integrity  of  those 


secrets  is  the  reason  we’re  able  to  hand  out  bonus  checks  at  the  end 
of  the  year.  So  it  affects  everyone  if  something  happens.”  Pontrelli  also 
goes  over  the  correct  way  to  use  technology  to  minimize  the  likelihood 
of  data  theft,  such  as  using  e-mail  securely  and  saving  electronic  data 
in  a  consistent,  safe  manner  so  that  no  one  outside  the  company  can 
access  the  information. 

W.L.  Gore’s  engineers,  technologists  and  PhDs  receive  a  different 
presentation  from  the  legal  department  that  reviews  the  proper  way 

to  talk  to  vendors,  suppliers  and  reporters, 
and  how  not  to  give  out  information.  “Our 
employees  are  brilliant  people,  but  when 
you  put  them  on  the  phone  with  outsiders, 
they’re  not  necessarily  thinking  about  what 
they  should  or  shouldn’t  say,”  Pontrelli  says. 
“Unintentional  sharing  of  confidential 
information  is  an  area  we  address  with  reg¬ 
ular  IP  awareness  presentations.  The  lit¬ 
mus  test  for  all  of  us  to  ask  ourselves  is, 
Would  I  know  this  information  if  I  didn’t 
work  here,  and  would  my  biggest  competi¬ 
tor  want  this  information?” 

In  2000,  W.L.  Gore  created  an  intellec¬ 
tual  property  committee  to  oversee  com¬ 
munications  with  external  entities  as  a 
major  part  of  its  efforts  to  safeguard  its 
assets.  If  someone  in  the  company  wants  to 
be  quoted  in  a  magazine,  file  for  a  patent  or 
work  with  a  new  supplier,  he  has  to  go 
through  the  IP  committee.  “It’s  a  single 
point  of  review  that  prevents  sensitive  infor¬ 
mation  from  getting  outside  the  company,”  Pontrelli  says.  W.L.  Gore 
is  divided  into  four  large  divisions,  and  before  the  IP  committee  was 
formed,  divisions  would  often  make  decisions  about  what  information 
could  be  released.  “There  was  no  consistent  approach,  and  a  division’s 
business  interest  often  dictated  what  information  was  released  'with¬ 
out  consideration,”  he  says.  “The  root  of  the  IP  issue  is  people.  We  had 
to  find  a  way  to  influence  the  attitudes  and  behaviors  of  our  employ¬ 
ees  so  they  would  be  more  aware  of  the  need  for  and  ways  to  protect 
our  intellectual  capital.” 

As  part  of  the  IP  protection  effort,  W.L.  Gore  now  has  a  call  infor¬ 
mation  center,  where  employees  can  forward  all  inquiries  about  the 
company.  The  center’s  staff  is  carefully  trained  in  the  art  of  sniffing 
out  social  engineering  attempts  and  answering  questions  without 
giving  any  confidential  information  away.  Now,  if  someone  receives 
a  pretext  call,  it  gets  forwarded  to  the  information  center. 

The  best  way  to  keep  your  IP  inside  the  company,  Pontrelli  says,  is 
to  treat  your  employees  with  care  and  respect.  “If  you  take  care  of 
them  when  they  arrive  and  when  they  walk  out  the  door,  they’ll  respect 
the  essence  of  the  NDA;  if  you  don’t,  the  loyalty  factor  is  diminished,” 
he  says.  “Protecting  IP  is  less  about  buying  technology  or  hiring  inves¬ 
tigators  to  chase  people.  It’s  more  about  treating  your  employees  right. 
If  you  make  them  not  want  to  hurt  you,  you'll  minimize  your  exposure. 
We  can  put  up  the  biggest  physical  security  barriers  in  the  world,  have 
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Intellectual  Property 


I  ve  Got  a  Secret 


Four  types  of  intellectual  property  protection 


PATENT  When  you  register 
your  invention  with  the  govern¬ 
ment— a  process  that  can  take 
more  than  a  year— you  get  the 
legal  right  to  exclude  anyone 
else  from  manufacturing  or  mar¬ 
keting  it.  Patents  cover  tangible 
things.  They  can  be  registered 
in  foreign  countries,  a  practice 
that  helps  keep  competitors  from 
finding  out  what  your  company 
is  doing.  Once  you  hold  a  patent, 
others  can  apply  to  license  your 
product.  Patents  last  for  20 
years.  They  can  be  renewed,  but 
if  a  company  allows  a  patent  to 
expire,  it  loses  the  right  to  keep 
others  from  marketing  that 
invention. 


TRADEMARK  A  trademark  is  a 
name,  phrase,  sound  or  symbol 
used  in  association  with  services 
or  products.  It  often  connects  a 
brand  with  a  level  of  quality  on 
which  companies  build  a  reputa¬ 
tion.  Trademark  protection  lasts 
for  10  years  after  registration 
and,  like  patents,  can  be  re¬ 
newed.  But  trademarks  don't 
have  to  be  registered.  If  a  com¬ 
pany  creates  a  symbol  or  name 
it  wishes  to  use  exclusively,  it 
can  simply  attach  the  TM  sym¬ 
bol,  which  effectively  marks  the 
territory  and  gives  the  company 
room  to  prosecute  if  other  com¬ 
panies  attempt  to  use  the  same 
symbol  for  their  own  purposes. 


COPYRIGHT  Copyright  laws 
protect  written  or  artistic  expres¬ 
sions  fixed  in  a  tangible 
medium— novels,  poems,  songs 
or  movies.  A  copyright  protects 
the  expression  of  an  idea  but  not 
the  idea  itself.  The  owner  of  a 
copyrighted  work  has  the  right  to 
reproduce  it,  to  make  derivative 
works  from  it  (such  as  making  a 
movie  based  on  a  book),  or  to 
sell,  perform  or  display  the  work 
to  the  public.  You  don't  need  to 
register  your  material  to  hold  a 
copyright,  but  registration  is  a 
prerequisite  if  you  decide  to  sue 
for  copyright  infringement.  A 
copyright  lasts  for  the  life  of  the 
author  plus  another  50  years. 


TRADE  SECRET  A  formula, 
pattern,  device  or  compilation 
of  data  that  grants  the  user  an 
advantage  over  competitors  that 
do  not  know  it  is  a  trade  secret. 

It  is  covered  by  state,  rather 
than  federal,  laws.  To  protect  the 
secret,  a  business  must  prove  it 
adds  value  to  the  company— that 
it  is,  in  fact,  a  secret— and  that 
appropriate  measures  have  been 
taken  within  the  company  to 
safeguard  the  secret,  such  as 
restricting  knowledge  to  a  select 
handful  of  executives.  Success 
story:  Coca-Cola  has  success¬ 
fully  managed  to  keep  its  for¬ 
mula  under  wraps  for  more  than 
117  years.  -S.K. 


the  best  IT  systems  and  the  tightest  personnel  screening  program, 
but  that  won’t  stop  a  person  from  walking  out  the  door  with  proprietary 
knowledge  in  his  head.” 

Beyond  the  People 

Uslan’s  mantra  is  audit,  audit,  audit.  At  Sony  Pictures,  his  job  depends 
on  maintaining  high  levels  of  data  security— particularly  vital  for 
industries  such  as  his  where  large  quantities  of  proprietary  materials 
are  electronically  stored  and  transmitted.  So  it’s  not  surprising  that 
Uslan  takes  a  vigilant  approach  to  protecting  Sony’s  internal  IT  sys¬ 
tems.  His  department,  which  is  part  of  Sony’s  information  technology 
and  protection  organization,  is  the  caretaker  for  all  Sony  intellectual 
property  in  digital  form.  “If  it’s  on  the  computer,  it’s  my  job  to  protect 
it,”  he  says.  So  he  scrutinizes  Sony’s  IT  systems  worldwide,  testing 
every  method  by  which  his  company  stores  and  transmits  content  to 
make  sure  security  is  up  to  his  team’s  high  standards.  He  and  his  team 
are  also  regular  practitioners  of  penetration  testing,  a  practice  that 
routinely  turns  up  vulnerabilities  that  might  otherwise  not  have  been 
found  until  someone  outside  the  company  had  exploited  them. 

Uslan’s  audits  resemble  an  ambush  by  friendly  guerrilla  forces. 
He  and  his  team  bring  in  a  group  of  tactical  IT  security  experts  spe¬ 
cializing  in  whatever  operating  system  or  software  program  Uslan  is 
auditing  at  the  time.  (The  company’s  network  and  systems  adminis¬ 
trators  are  extremely  competent,  he  emphasizes,  but  their  job  is  to 
keep  Sony’s  systems  up  and  running,  not  to 
analyze  security— hence,  the  specialists.)  The 
group  of  experts  descends  on  each  Sony  loca¬ 
tion  and  begins  auditing  at  the  macro  level, 
analyzing  the  company’s  servers  and  operating 
systems,  checking  for  known  weaknesses,  and 


patching  where  necessary.  Then  it  moves  a  step  down,  looking  at 
every  software  program  and  every  network  port,  testing  as  it  goes. 
Afterward,  Uslan  meets  with  the  network  and  systems  administrators 
to  tell  them  about  any  new  problems  or  vulnerabilities  discovered  dur¬ 
ing  the  audit.  “It’s  not  an  antagonistic  event,”  he  says.  “We  tell  them 
what  we  found,  how  we  found  it,  the  tools  we  used  and  how  they  can 
patch  the  systems  to  prevent  more  holes  from  occurring.  By  the  end, 
we’ve  got  them  excited.  And  we’ve  helped  make  both  the  systems  and 
the  administrators  stronger.”  As  soon  as  the  group  completes  one 
audit,  it’s  on  to  the  next  location  to  begin  the  process  again. 

Uslan  understands  why  he  needs  to  keep  more  than  his  finger 
plugged  in  the  proverbial  dike.  IP  loss  affects  everyone  at  Sony  and 
beyond.  “IP  theft  means  revenue  that  we  can’t  pass  down  to  the  script 
writers,  the  prop  masters,  the  costume  designers,  all  the  people  who 
work  hard  on  films,”  he  explains.  “When  someone  gets  a  movie  for  free 
on  the  Web,  for  instance,  instead  of  going  to  a  theater,  it’s  a  slap  in  the 
face.”  He’s  also  seen  what  happens  when  people  get  complacent  about 
IP  security.  “It’s  when  you  think  you’ve  got  all  the  bases  covered  that 
something  big  goes  wrong.  You  have  to  stay  on  top  of  the  process.” 

It’s  easy  for  CSOs  to  place  the  protection  of  ideas  a  lot  lower  on  the 
priority  list  than  protecting  buildings  and  employees.  Like  Uslan  says, 
CSOs  get  comfortable  protecting  what  they  know.  Still,  “intellectual 
property  is  what  keeps  your  company  viable  in  the  market,”  says  the 
National  Intellectual  Property  Law  Institute’s  Chandler.  “And  CSOs 

must  make  protecting  intellectual  assets  one  of 
their  highest  priorities.”  Nothing  less  than  the 
future  of  your  company  depends  on  it.  ■ 

Staff  Writer  Simone  Kaplan  can  be  reached  via  e-mail  at 
skaplan* cxo.com. 


Keeping  sensitive  corporate  data  safe  from 
hackers  is  challenging,  but  how  do  you  protect 
what  is  sent  to  remote  desktops?  Read  “Secur¬ 
ing  the  Corporate  Content:  Post  Delivery  Pro¬ 
tection,"  a  CSOonline  ANALYST  REPORT.  Go 
to  www.csoonline.com/printlinks. 
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WATCH 


By  Lancope 


As  the  most  versatile  IDS  available,  StealthWatch™  rapidly  identifies,  prioritizes  and  mitigates  malicious 
network,  system  and  host  behavior  by  dynamically  detecting  deviations  from  typical  profiles  and 
acceptable  security  policies.  More  than  an  IDS,  StealthWatch  provides  a  continuous  assessment  of  risks  and 
policy  compliance,  insightful  forensic  analysis,  and  optimization  of  network  traffic. 


Visit  us  at  the  RSA  Conference  2003  in  San  Francisco  from  April  13th  -  April  16th  at  booth  201 


Request  your  free  white  paper  "Behavior-based  IDS:  StealthWatch  Overview  and  Deployment 
Methodology"  at  http://www.lancope.com 


StealthWatch  and  Lancope  are  Registered  Trademarks  of  Lancope,  Inc. 
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Fear,  uncertainty  and  doubt  may 
help  scare  your  company  into 
short-term  compliance,  but  CSOs 
say  that’s  a  shortsighted  strategy 

By  Daintry  Duffy 
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IN  THIS  STORY:  How 
and  why  scare  tactics 
eventually  backfire 
■  Practical  ideas  for 
more  effectively  com¬ 
municating  security 
risks  and  requirements 
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To  one  degree  or  another,  we  all  live  with  FUD— the 
cacophony  of  fears,  uncertainties  and  doubts  that  plague 
daily  life.  Will  my  401(k)  account  ever  rebound?  Did  I 
leave  the  coffeepot  on  this  morning?  Am  I  really  going 
to  get  a  brain  tumor  from  my  cell  phone? 

But  while  were  all  allowed  to  be  neurotic  worrywarts 
in  our  private  lives,  it’s  seldom  a  quality  that’s  admired 


in  business.  So  why  do  so  many  security  executives  still 
rely  on  gloom  and  doom  tactics  to  sell  management  on 
security  investments? 
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Jim  Mecsics,  VP  of 
corporate  security 
at  Equifax,  strives 
to  take  emotion  out 
of  the  equation. 
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Managing  Up 


Well,  for  one  thing,  it’s  easy— there’s  a 
wealth  of  scare  stories  to  choose  from.  Most 
organizations  still  view  security  as  a  cost  cen¬ 
ter,  and  it’s  much  simpler  to  make  a  dramatic 
“invest  or  else”  argument  than  it  is  to  connect 
security  expenditures  to  the  company’s  bottom 
line  with  analysis  and  research.  The  term  FUD 
was  originally  coined  in  the  1970s  in  refer¬ 
ence  to  IBM’s  marketing  technique  of  spread¬ 
ing  scary  rumors  about  a  competitor’s  new 
product  to  dissuade  customers  from  taking  a 
“risk”  by  buying  it.  FUD  relies  on  emotion— 
not  reason— to  make  a  sale  (or  prevent  one). 
“If  you’re  having  a  [security]  discussion  where 
you’re  talking  about  what  happened  to  the 
other  guy  and  not  looking  at  it  in  terms  of 
what  it  [realistically]  means  to  your  company, 
and  it’s  all  about  them  and  not  about  you¬ 
then  you’re  probably  using  FUD,”  says  Ken 
Tyminski,  vice  president  and  CISO  for  Pru¬ 
dential  Financial. 

Security  executives  and  management 
experts  agree  that  FUD  is  a  short-term  fix  that 
destroys  the  security  team’s  credibility  in  the 
long  term.  Having  witnessed  FUD’s  short¬ 
comings  firsthand,  CSOs  are  developing  more 
practical  and  realistic  techniques  for  making 
the  case  for  security. 


onjuring  up  the  frightening  specter 
of  stolen  customer  information,  a 
media  maelstrom  and  a  plummet¬ 
ing  stock  price  may  create  a  dra¬ 
matic  impact,  but  when  CSOs  call  a  crisis 
every  time  they  need  funding,  they’ll  find  that 
management  catches  on  quickly.  “That 
[approach]  may  work  once  or  twice  in  a  true 
crisis  situation  where  the  bad  guys  have  come 
over  the  back  fence,”  says  Jim  Mecsics,  vice 
president  of  corporate  security  for  Equifax. 
“But  when  you  approach  corporate  officers 
with  the  tactics  of  fear,  you’re  walking  into  a 
trap.  Somebody  will  eventually  say,  ‘OK,  show 
me  where  the  real  [emergency]  is,’  and  then 
your  credibility  is  shot.”  FUD  is  a  particularly 
common  tactic  in  the  lower  ranks  of  a  security 
organization— among  those  who  haven’t 


Ken  Tyminski,  VP  and  CISO  at  Prudential 
Financial,  says  FUD  creates  unnecessary 
expenses. 
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learned  how  to  make  a  data-driven  risk  man¬ 
agement  argument.  A  CSO  who  doesn’t  stamp 
out  FUD  in  his  team  creates  as  much  of  a 
problem  as  the  CSO  who  uses  it  in  personal 
conversations  with  senior  executives. 

Mecsics  has  the  stories  that  prove  the  point. 
Just  after  9/11,  he  was  working  with  a  gov¬ 
ernment  organization  that  decided  it  needed 
to  radically  increase  its  manpower  to  cope 
with  the  concerns  over  terrorist  threats.  The 
organization  set  up  a  conference  and  during  a 
period  of  three  days  hastily  gathered  input 
from  all  its  field  agents  to  take  to  the  senior 
leadership.  Instead  of  research  and  risk  analy¬ 
sis,  many  of  the  agents’  arguments  were  based 
on  guesswork  and  were  rooted  in  the  fear  and 
uncertainty  of  Sept.  11.  Mecsics  says  the  orga¬ 
nization’s  management  started  asking  ques¬ 
tions  and  saw  through  the  frenzy  the  security 
personnel  were  whipping  up,  and  ultimately 
came  to  believe  that  the  security  team  was 
simply  trying  to  feather  its  own  nest  by  capi¬ 
talizing  on  the  terrorist  attacks.  The  net  result 
was  that  the  security  team  lost  its  credibility. 
In  another  organization,  Mecsics  says,  senior 
executives  were  so  frightened  by  the  security 
group’s  use  of  scare  tactics  that  they  became 
obsessed  with  concerns  that  the  company 
would  be  irreparably  harmed  by  a  security 
event,  and  they  lost  the  ability  to  look  at  the 
issue  rationally.  “They  got  worked  into  such  a 
frenzy  that  it  was  like  a  runaway  train,”  says 
Mecsics. 

FUD  also  wastes  money.  When  CSOs  buy 
and  implement  a  security  initiative  based  on 
fear,  they’ll  have  a  much  harder  time  manag¬ 
ing  and  assessing  it  based  on  merit  and  actual 
results.  “You  can  end  up  spending  money  to 
put  a  solution  in  place  that  can  demonstrate 
no  value,”  says  Tyminski.  “It  can  make  the 
security  program  so  expensive  that  people 
won’t  believe  in  it  anymore.” 

But  fundamentally,  the  problem  with  FUD 
is  that  it  sets  up  a  destructive  pattern  of  com¬ 
munication  between  the  CSO  and  manage¬ 
ment— it  breeds  mistrust  and  second-guessing. 
A  CSO’s  persistent  use  of  FUD  tactics  will 
eventually  color  management’s  view  of  every¬ 
thing  he  says  and  does,  affecting  their  percep¬ 
tion  of  his  abilities  and  the  security  function  as 
a  whole.  Do  you  want  to  be  the  business 
enabler  who  is  always  ready  with  ideas  and 
who  projects  good  security  as  a  competitive 


advantage?  Or  the  executive  who  always  walks 
into  meetings  with  a  dire  prediction  to  levy? 

In  place  of  FUD,  CSOs  offer  the  following 
strategies  for  communicating  security  risks 
and  requirements. 

Change  Your  Attitude  CSOs  say  the 
first  step  in  banishing  FUD  is  to  lose 
the  Chicken  Little  attitude  yourself. 
Scare  tactics  are  seldom  necessary  in 
discussions  of  security  anyway.  “With  secu¬ 
rity,  you  don’t  need  to  exaggerate  the  expo¬ 
sures  because  they  really  are  scary  enough 
already,”  says  Pat  Schuler,  a  Minneapolis- 
based  management  coach  and  consultant  who 
has  worked  with  a  number  of  Fortune  500 
clients.  Executives  want  a  CSO  to  give  a 


rational,  factual  presentation  of  the  situation 
followed  by  his  recommendations  for  the  next 
steps  to  take.  That  information  can  cover  the 
worst-case  scenario— or  risks  associated  with 
inaction— but  without  any  unnecessary 
drama.  Schuler  recommends  that  CSOs  con¬ 
dense  information  into  bulleted  items  as  a 
FUD-proof  format  for  communicating  a  situ¬ 
ation  that  executives  can  quickly  and  easily 
understand.  “It  can  be  empowering  [for  man¬ 
agers]  if  you  give  them  all  the  information, 
make  your  recommendation  and  then  instead 
of  pushing  harder,  step  back  to  let  them  make 
a  decision,”  says  Schuler.  “Nobody  likes  to  be 
pushed  up  against  a  wall,  and  that’s  when 
FUD  really  doesn’t  work.” 

As  management’s  filter  for  all  the  security 


information  about  viruses  and  hackers  that 
floats  over  the  transom,  CSOs  are  tasked  with 
providing  a  clear-eyed,  steady-handed  per¬ 
spective  on  what  each  event  or  news  item 
means  to  their  companies.  “Just  the  facts, 
ma’am.  That’s  the  way  I  operate— just  the 
facts,  and  no  emotion,”  says  Mecsics.  “I  have 
to  be  able  to  cull  out  the  bad  and  superfluous 
information.” 

When  all  that  senior  managers  hear  from 
their  CSOs  is  a  succession  of  bad  news,  they 
will  quickly  learn  to  tune  them  out.  Mecsics 
has  witnessed  situations  where  a  security  exec¬ 
utive  lost  stature  within  his  organization  for 
always  going  into  the  boss’s  office  with  bad 
news.  Suddenly  it  becomes  impossible  for  him 
to  get  on  the  CEO’s  schedule,  and  he  is  pushed 
to  a  vice  president  to  have  his  information 


vetted  and  filtered. 

Lew  Wagner,  CISO  at  the  M.D.  Andersen 
Cancer  Center  at  the  University  of  Texas, 
suggests  that  security  executives  make  a  point 
of  picking  off  some  low-hanging  fruit  in  the 
first  year  on  the  job  to  establish  a  flow  of 
positive  information  to  management.  When 
the  Bugbear  virus  started  to  wend  its  way 
through  corporate  networks  last  fall,  Wagner 
made  a  point  of  letting  managers  know  that 
even  though  two  major  institutions  had  been 
felled  by  the  virus,  their  organization  was  pro¬ 
tected.  Wagner  also  created  a  site  for  all  of 
his  user  community  (including  management) 
with  tips  for  identifying  security  threats  and 
guidelines  for  safe  online  behavior  at  work 
and  at  home. 


CSOs  say  the  first 
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Forge  Connections  Communi¬ 
cating  about  security  is  particu¬ 
larly  hard  when  the  security 
executive  is  the  only  one  doing  the 
talking.  CSOs  say  FUD  is  the  last  resort  of 
those  who  haven’t  forged  critical  executive 
partnerships  and  set  in  place  education  ini¬ 
tiatives  that  broaden  the  base  of  security 
responsibility. 

At  Allstate,  Assistant  Vice  President  and 
CISO  Kim  Van  Nostern  works  with  a  team  of 
information  protection  governance  officers 
who  act  as  her  security  tentacles  throughout 
the  organization.  “These  50  officers  are 
responsible  for  making  sure  that  security  edu¬ 
cation  and  awareness  is  prevalent  through¬ 
out  our  company,”  she  says.  “Security  is  not 
just  a  one-person  job;  it’s  a  shared  responsi¬ 
bility.”  Too  often,  CSOs  hesitate  to  delegate 
responsibility  for  security.  They  set  themselves 
up  as  the  resource  for  all  security  information 
within  the  company.  Instead  of  spreading 
their  knowledge,  they  choose  to  listen  to  the 
voice  of  self-preservation  that  whispers,  If  I’m 
the  only  one  who  knows  what’s  going  on,  they 
can't  fire  me.  But  the  ability  to  build  consen¬ 
sus  and  delegate  is  critical  to  avoiding  FUD 
and  communicating  effectively  about  secu¬ 
rity.  Mecsics  describes  this  approach  to  the 
CSO  role  as  being  an  “advocate”  rather  than 
the  “focal  point.” 

Absent  a  formal,  distributed  security  group, 
CSOs  can  fashion  their  own  informal  one  by 
partnering  with  key  business  unit  leaders  who 
will  help  spread  the  word  about  security  and 
back  up  security  initiatives  with  business  unit 
support.  To  build  these  relationships,  focus 
on  not  only  helping  fellow  business  executives 
understand  what  the  security  function  can  do 
for  them  but  on  ensuring  that  they  see  secu¬ 
rity  as  a  help  rather  than  a  hindrance.  CSOs 
who  are  always  putting  the  brakes  on  business 
projects  and  lecturing  about  why  things  can’t 
be  done— as  opposed  to  providing  solutions— 
earn  a  reputation  as  business  disablers  rather 
than  enablers.  That  is  why  business  units  fre¬ 
quently  try  to  circumvent  the  security  process. 

Adam  Hansen,  who  heads  up  the  security 
program  at  law  firm  Sonnenschein,  recom¬ 
mends  focusing  partnership  efforts  on  a  few 
business  executives.  “Once  a  couple  of  for¬ 
ward  thinkers  jump  on  board  with  you,  they’ll 
drag  the  rest,”  he  says.  Pay  particular  attention 


One  CSO’sTooIlsit 
ior  Executive 
Communication 

WHEN  JIM  MECSICS,  vice  president 
of  corporate  security  for  Equifax,  goes 
before  corporate  management,  he’s  fully 
armed  with  facts,  figures,  research  and 
analysis  to  make  his  arguments  all  the 
more  compelling.  Here  are  some  of  the 
sites  that  he  finds  particularly  valuable 
in  making  a  case. 

American  Society  for  Industrial  Security 

www.asisonline.org 

Centers  for  Disease  Control,  Public  Health 
Emergency  Preparedness  &  Response 

www.bt.cdc.gov 

Department  of  Justice’s  Computer  Crime 
and  Intellectual  Property  Section 

www.cybercrime.gov 

Federal  Bureau  of  Investigation 

www.fbi.gov 

Federal  Emergency  Management  Agency 

www.fema.gov 

Homeland  Defense  Journal 

www.homelanddefensejournal.com 

The  International  Policy  Institute  for 
Counter-Terrorism 

www.ict.org.il 

National  Infrastructure  Protection  Center 

www.nipc.gov 

Overseas  Security  Advisory  Council 

www.ds-osac.org 

The  Terrorism  Research  Center 

www.terrorism.com 


to  building  a  strong  relationship  with  the  audit 
group  because  when  the  CEO  and  CFO  are 
pushing  back  on  a  necessary  security  expen¬ 
diture  and  the  CSO’s  anxiety  level  is  rising, 
the  audit  group  can  escalate  the  concern  to  the 
board  of  director  level. 


Educate  and  Deflate  When  a 
CSO  takes  the  time  to  educate 
management  about  security,  it 
smooths  the  way  for  rational 


budget  discussions  and  reduces  the  need  for 
FUD.  A  big  part  of  that  education  process  is 
making  sure  management’s  expectations  from 
the  security  organization  are  realistic.  Infor¬ 
mation  security  is  of  particular  note  in  this 
regard.  “I  still  think  there’s  some  misconcep¬ 
tion  about  IT  security  and  what  it  can  accom¬ 
plish,”  says  Marc  Rogers,  principal  research 
scientist  with  the  Internet  Innovations  Center 
at  the  University  of  Manitoba  and  director 
of  information  security  services  for  Man- 
ageworx  Infosystems.  “There  are  so  many 
interdependencies,  and  sticking  a  finger  in 
one  hole  in  a  leaky  dike  doesn’t  fix  the  other 
nine  or  10  holes.”  CSOs  need  to  temper  man¬ 
agement’s  expectations  of  security  so  that 
executives  understand  that  a  great  firewall 
doesn’t  fix  everything;  all  the  other  pieces  such 
as  an  intrusion  detection  system,  password 
protection  and  antivirus  need  to  be  in  place 
and  functioning  as  a  cohesive  whole. 

CSOs  can  help  manage  expectations  by 
communicating  continually  about  the  com¬ 
pany’s  previous  security  investments  so  that 
management  knows  what  is  paying  off  and— 
more  important— what  isn’t,  and  why.  While 
these  conversations  can  be  uncomfortable, 
they  are  necessary  for  business  management 
to  understand  the  real  capabilities  and  limi¬ 
tations  of  various  security  measures.  CSOs 
who  track  this  kind  of  information  and  com¬ 
municate  it  proactively  to  top  management 
earn  important  credibility. 

Speak  the  Language  CSOs  need 
to  talk  to  management  in  busi¬ 
ness  terms.  This  is  vitally  impor¬ 
tant  to  the  success  of  a  security 
program  for  a  number  of  reasons,  but  it’s  also 
particularly  critical  to  the  goal  of  eradicating 
FUD.  Talking  to  executives  about  “hacks”  and 
“pings”  might  be  effective  at  getting  them  all 
worked  up,  but  chances  are  they’ll  have  no 
idea  what  to  do  with  the  information.  “I 
worked  at  a  place  before  where  you  dropped 
the  word  hacker,  and  the  pocketbooks  opened 
up,”  says  Hansen. 

But  the  lawyers  at  Sonnenschein  are  tech¬ 
nology  savvy  enough  that  the  scare  tactics 
don’t  work  there,  and  the  only  way  to  have  a 
useful  dialogue  is  to  talk  strictly  in  business 
terms.  If  there’s  a  vulnerability,  Hansen 
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“I  worked  at  a  place 
where  srou  dropped  the 
word  hacker,  and  the 
pocketbooks  opened  up.” 

-ADAM  HANSEN,  HEAD  OF  SECURITY,  SONNENSCHEIN 


translates  it  right  into  its  corresponding  busi¬ 
ness  effect— for  example,  he’ll  show  that  if  a 
particular  router  goes  down,  an  attorney  who 
would  normally  bill  18  hours  a  day  could  only 
bill  six.  That  gets  management’s  attention 
pretty  quickly. 

CSOs  need  to  take  themselves  out  of  the 
security  and  technology  world  in  communi¬ 
cating  with  executives.  “I  tease  people  that 
I’m  not  really  in  the  security  business.  I’m  in 
the  risk  management  business,”  says  Tymin- 
ski.  “When  you  take  issues  and  threats  and 
match  them  with  what  the  business  risk  is,  it 
gets  you  out  of  the  FUD  area.” 

Play  the  Numbers  Meticulously 
gathered  and  maintained  metrics 
will  always  make  quicker  work  of 
convincing  management  of  the 
need  for  a  security  investment  than  a  scary 
story.  CSOs  who  keep  good  metrics  can  drop 
the  FUD  and  let  the  numbers  do  the  talking. 
“Every  tool  I  buy  collects  metrics,  runs  reports 
and  keeps  logs,”  says  Wagner.  You  could  use 
general  scenarios  and  still  make  an  eloquent 
argument  for  e-mail  filtering  software,  but 
“when  you  can  tell  an  executive  that  you’re 
logging  150,000  spam  a  day,  that  really  makes 
an  impact.”  At  Sonnenschein,  Hansen  uses  a 
tool  from  Catbird  Networks  to  constantly 
gather  information  about  network  integrity, 
connectivity  and  application  performance. 
The  tool  also  stores  all  the  information  it  gath¬ 
ers,  allowing  Hansen  and  his  staff  to  do 
historical  trend  analysis  and  perform  base¬ 
line  comparisons. 

Although  numbers  about  security  breaches 
and  attacks  have  historically  been  sketchy, 


more  precise  figures  come  out  every  day.  The 
more  ammunition  a  CSO  can  gather  from 
real-world  cases  and  from  his  own  organiza¬ 
tion,  the  better  prepared  he  will  be  to  make  a 
compelling  argument  for  funding.  At  Equifax, 
Mecsics  has  one  employee  devoted  to  check¬ 
ing  government  sites  and  intelligence  sources 
to  gather  information  that  Mecsics  can  use  to 
make  his  cases  to  management.  (See  “One 
CSO’s  Toolkit  for  Executive  Communication,” 
Page  46.)  When  Mecsics  walks  up  to  the  sixth 
floor  to  the  executive  suites,  they  know  that 
he’s  coming  with  reproducible  information 
and  validated  data— as  opposed  to  something 
he  just  saw  on  the  evening  news  or  heard  from 
a  security  colleague. 

Mecsics  also  uses  a  data-mining,  mapping 
and  spreadsheet  technology  called  Compstat 
(developed  by  William  Bratton’s  staff  during 
his  tenure  as  New  York  City’s  police  commis¬ 
sioner)  to  identify  and  track  security-related 
incidents  within  the  company.  Bratton  used 
Compstat  to  find  specific  information  about 
the  criminal  patterns  in  the  city  down  to  the 
precinct  and  neighborhood  level  so  that  he 
could  better  mobilize  his  officers  to  solve  prob¬ 
lems. 

Mecsics  uses  it  for  the  same  purpose  but  is 
focused  specifically  on  the  company’s  network 
and  the  issue  of  security.  As  problems  and 
patterns  are  revealed,  Mecsics  and  his  team 
deploy  resources  to  fight  them.  The  process 
requires  constant  review  of  those  tactics.  If  a 
month  passes  and  nothing  improves,  then  the 
team  changes  its  approach.  “We  have  a  secu¬ 
rity  staff  huddle  session  once  a  month  where 
we  talk  about  major  issues  and  do  a  mini- 
Compstat  on  all  our  major  issues  whether  it’s 
fraud,  governance  or  legal  requirements,”  says 


Mecsics.  The  technology  not  only  enables  the 
security  team  to  get  a  jump  on  emerging  prob¬ 
lems  but  also  to  stay  on  top  of  longstanding 
issues  so  that  nothing  falls  through  the  cracks. 

s  there  such  a  thing  as  good  FUD? 
While  most  CSOs  claim  there  is  not,  a 
few  when  pressed  will  admit  that  if 
used  judiciously,  FUD  can  be  an  asset. 
Hansen  uses  it  for  tabletop  exercises  to  map 
out  worst-case  scenarios  and  measure  the 
company’s  level  of  preparedness  for  various 
situations.  “In  a  tight  economy,  CSOs  will  be 
more  likely  to  have  success  with  the  FUD 
approach,  especially  if  they  do  have  legitimate 
security  exposures,”  says  management  con¬ 
sultant  Schuler.  “Senior  management  is  often 
better  able  to  envision  dire  results  than  posi¬ 
tive  benefits.” 

So  a  little  fear  can  be  healthy  when  the 
risks  demand  it,  but  painting  a  vivid  picture 
shouldn’t  be  taken  to  the  point  of  exaggera¬ 
tion.  Schuler  admits  it  is  a  fine  line.  FUD 
should  be  the  weapon  of  last  resort.  When  it’s 
overused  or  used  carelessly,  it  can  put  a  CSO’s 
career  in  jeopardy.  “Our  bosses  are  not  used 
to  emotions,  and  a  CSO  owes  it  to  his  profes¬ 
sion  to  be  a  professional  and  make  a  business 
case,”  says  Mecsics.  “Not  to  be  the  guy  scream¬ 
ing,  ‘Batten  down  the  hatches!”’  ■ 

E-mail  Senior  Editor  Daintry  Duffy  at  dduffy@cxo.com. 


Make  your  case  for  FUD-free  security.  Visit 

CSOonline’s  STRATEGY  &  MANAGEMENT 
RESEARCH  CENTER  for  more  tips  on 
communicating  at  the  executive  level.  Go 
to  www.csoonline.com/strategy. 
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CIO  ENTERPRISE  VALUE  AWARDS 


New  This  Year!! 


We  are  adding  io  vertical 
industry  groupings  and 
a  new  category  of  awards. 
Applicants  will  apply 
and  be  honored  within 


their  own  industries. 
Winners  from  each 
industry  category 
will  automatically  be 
finalists  for  up  to  three 
Grand  CIO  Enterprise 
Value  Awards  for  excep¬ 
tional  achievement. 


As  a  Winner  You  Will: 


►  Be  featured  in  the  February  i,  2004, 
issue  of  CIO  magazine,  as  well  as  on 
CIO.com. 


►  Attend  the  Enterprise  Value  Retreat, 
where  you  will  exchange  practices  and 
lessons  learned  with  your  fellow 
winners  and  executive  peers. 

►  Be  celebrated  at  a  dinner  and  awards 
ceremony  honoring  those  involved  in 
the  winning  system’s  success. 

►  Be  presented  with  four  beautiful  and 
unique  Enterprise  Value  Award  stars— 
each  a  handcrafted  piece  of  commis¬ 
sioned  art  created  by  sculptor  Jon 
Schackmuth. 


►  Have  the  opportunity  to  extend  the 
excitement  of  the  awards  night  with 
copies  of  a  professional  video  highlight¬ 
ing  your  winning  system. 

►  Receive  public  relations  assistance  to 
extend  the  awareness  of  this  award 
with  your  employees,  investors  and 
customer  communities  through 
support  of  CIO  magazine’s  News  and 
Information  team. 


►  Showcase  the  awards  evening  by 
participating  in  a  professional  photo 
shoot  at  the  ceremony. 

►  Enjoy  enhanced  recruiting 
opportunities. 


For  complete  application  instructions,  visit  our  website  at  www.cio.com/i\/i 


Criteria 

The  CIO  Enterprise  Value  Awards  honortechnology-enabled  business 
achievement.  Winners  will  be  chosen  from  entrants  who  submit  com¬ 
pleted  application  forms  to  CIO  magazine  by  May  15,  2003.  Entries 
will  be  judged  on  the  value  of  the  achievement  resulting  from  the  tech¬ 
nology  investment  and  the  degree  to  which  it  serves  the  organization’s 
mission.  Judges  are  looking  for  initiatives  that  have  had  a  broad  and 
significant  impact  on  the  enterprise  as  a  whole. 

Defining  Value 

We  invite  applicants  to  consider  the  broadest  possible  spectrum  of 
enterprise  value.  The  business  benefits  include  but  are  not  restricted 
to  STRATEGIC,  CUSTOMER,  FINANCIAL,  OPERATIONAL  and  SOCIAL 
impact. 

Selection  Process 

Finalists  are  selected  by  judging  teams  made  up  of  CIO  magazine  edi¬ 
tors  and  CIO  Enterprise  Value  Awards  Review  Board  members 
(respected  academics  and  consultants)  and  Judges  (a  blue-ribbon 
panel  of  leading  CIOs).  Once  the  judging  teams  have  selected  industry 
winners,  a  site  visit  from  a  member  of  our  Review  Board  may  be 
required  to  substantiate  claimed  benefits.  Site  visits  will  take  place  in 
July,  August  and  September.  The  Review  Board  will  present  its  find¬ 
ings  to  the  judging  panel  of  CIOs  for  final  selection  of  up  to  three 
Grand  CIO  Enterprise  Value  Award  winners. 

How  to  Apply 

Download  the  application  at  www.cio.com/eva  or  contact  Lynne 
Rigolini  at  eva@cio.com  or  call  508-935-4088. 

Important  Dates 

Deadline:  Applications  must  be  received  by  May  15,  2003. 
Notification:  Winners  will  be  notified  in  October  2003. 

Presentation:  Awards  ceremony  takes  place  during  the  CIO  Enterprise 
Value  Retreat,  February  8-10,  2004.  Winners  will  be  profiled  in  the 
February  1,  2004,  issue  of  CIO  magazine. 


Entry  Guidelines 

■  The  system  must  have  been  operational  prior  to 
April  1,2002. 

■  Entries  must  be  made  jointly  by  the  CIO/IT  execu¬ 
tive  sponsor  AND  by  the  business  sponsor  for 
whom  the  system  delivers  value.  Both  must  sign 
the  Truth  of  Information  release. 

■  Entrants  must  agree  to  be  featured,  along  with 
their  systems  and  organizations,  in  a  CIO  article. 

■  IT  vendors,  public  relations  and  advertising  com¬ 
panies,  consultants  and  otherthird  parties  may 
NOT  apply  on  behalf  of  another  company.  They  are 
encouraged  to  forward  the  application  to  the 
“owner”  of  the  system  or  to  contact  CIO  magazine 
to  recommend  that  the  client  be  contacted  to  fill 
out  an  application  form. 

■  IT  vendors  may  submit  applications  for  an  IT 
system  that  they  used  internally  to  help  run  their 
businesses  better. 

■  Entrants  will  apply  within  one  of  the  10  industry 
categories. 

1.  Manufacturing 

(including  automotive,  aerospace  and  defense, 
construction,  engineering,  chemicals,  metals 
and  mining) 

2.  Health  Care 

(providers  and  pharmaceuticals) 

3.  Financial  Services 
(banking,  insurance,  brokerage) 

4.  Government  and  Nonprofits 
(including  education) 

5.  Transportation 

(airlines,  trucking,  railroads,  shipping,  logistics) 

6.  Retail,  Wholesale  and  Distribution 

7.  Services 

(legal,  consulting,  real  estate) 

8.  Media  and  Entertainment 
(publishing,  radio  and  television,  etc.) 

9.  Travel  and  Leisure 

(cruise  lines,  hotels,  theme  parks,  casinos) 

10.  High  Tech,  Telecom  and  Utilities 


a  or  contact  Lynne  Rigolini  at  eva@cio.com. 
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Honoring  Business  Achievement  Through 
the  Innovative  Use  of  Information  Technology 

PREVIOUS  WINNERS 


APCOA  Inc.  1995 

AT&T  Universal  Card  Services 
Corp.  1994 

Bell  Atlantic  Corp.  1997 

Black  &Veatch  1998 

Brigham  &  Women’s  Hospital  1996 

Capital  One  Financial  Corp.  1999 

Caterpillar  Inc.  1995 

Charles  Schwab  &  Co.  2000 

The  Chase  Manhattan  Corp.  1997 

Chicago  Bureau  of  Parking  1994 

Commonwealth  of 
Massachusetts  1995 

Complete  Health  Services  Inc.  1994 

Con-Way  Transportation 
Services  Inc.  2003 

Dell  Computer  Corp.  2000 

The  Dow  Chemical  Co.  2002 

Enterprise  Rent-A-Car  2002 

Fidelity  Investments  1997 

Gensym  Corp.  1996 

Harrah’s  Entertainment  Inc.  2001 

Health  Decisions  Inc.  2003 

Household  Financial  Corp.  2000 

Hyatt  Hotels  &  Resorts  1995 

Kmart  Corp.  1995 

Lone  Star  Gas  Co.  1993 

Los  Angeles  County  Department  of 
Public  Social  Services  1994 

McDonnell  Douglas  Helicopter 
Systems  1996 


MacGregor  Medical 
Association  1997 

Medical  Center  of  Delaware  1993 

Michigan  Department  of 
Transportation  2002 

The  MITRE  Corp.  1999 

New  York  City  Department  of 
Finance  1998 

New  York  City  Transit  Authority  1993 

Office  Depot  Inc.  2001 

PA  Department  of  Environmental 
Protection  2002 

PC’s  Compleat  Inc.  1995 

The  Perrier  Group  of 
America  Inc.  1993 

Pfizer  Inc.  2000 

PPG  Industries  Inc.  1999 

Procter  &  Gamble  1998 

Rockwell  Space  Systems  Division 
(SSD)  1996 

The  SABRE  Group  1999 

SBC  Communications  Inc. 

1999,2002 

Schlumberger  Ltd.  1997 

South  Florida  Water  Management 
District  1994 

State  Street  Global  Advisors  1998 

SynOptics  Communications  Inc. 

1994 

Tech  Data  Corp.  1998 
Telogy  Inc.  1996 
Texas  Instruments  1993 


The  Wharton  School  of  the 
University  of  Pennsylvania  2003 

Travelers  Managed  Care  and 
Employee  Benefits  Operations  1993 

Tufts  University  2001 

United  Healthcare  Corp.  1996 

U.S.  Army  Pacific  Regional  Program 
Office  2000 

U.S.  Environmental  Protection 
Agency  1998 

University  of  Illinois  Medical 
Center  2003 

U.S.  Securities  and  Exchange 
Commission  2003 
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critical  infrastructure 
and  homeland  security 

public  policy  implications  for  business 

Conference  Topics _ 

•  Status  Report  on  the  Department  of  Homeland  Security 

•  Congressional  Homeland  Security  priorities 

•  Who  pays  for  what?  DHS  budget  implications 

register  NOW  (space  is  limited)  _ 

uschamber.com/ccc 

OR  CALL _ _ _ 

202.463.5517 

A  CONFERENCE  PRESENTED  BY  THE  CENTER  FOR  CORPORATE  CITIZENSHIP 
THE  NATIONAL  SECURITY  AFFAIRS  DEPARTMENT  OF  THE  U.S.CHAMBER  OF  COMMERCE 

EXCLUSIVE  MEDIA  SPONSORS  CIO  MAGAZINE  AND  CSO  MAGAZINE- 


Infosecurity  Survey 


A  survey  of  the  state  of  information  security,  as  measured 
against  ISO  guidelines,  shows  plenty  of  room  for  improvement. 
Is  the  problem  a  lack  of  overarching  vision,  a  dearth  of 
adequate  resources  or  a  little  of  both? 


NECDOTAL  EVIDENCE  suggests  that  infor¬ 
mation  security  is  surprisingly  immature,  frequently  underfunded 
and  often  poorly  implemented.  Now  survey  data  backs  up  those 
reports— at  least  to  a  point. 

Recently,  more  than  1,000  respondents  filled  out  an  online  self- 
assessment  tool  developed  by  the  Human  Firewall  Council  ( www 
.humanfirewall.org),  a  nonprofit  infosecurity  organization  that  uses 
words  like  alarming  and  dismal  when  describing  the  general  state  of 
information  security. 

While  those  reactions  are  more  subjective  than  the  survey  presen¬ 
tation  might  at  first  indicate  (more  on  that  follows),  practitioners 
agree  on  one  conclusion:  Information  security  has  a  long  way  to  go. 

Survey  Says... 

The  council’s  “Security  Management  Index”  (which,  in  spite  of  the 
broad  name,  refers  only  to  information  security)  is  an  online  ques¬ 
tionnaire  that  allows  organizations  to  grade  their  security  efforts  in 
10  categories,  based  on  the  ISO  17799  guideline  from  the  International 
Organization  for  Standardization  (see  “Holistic  Medicine”  at 


www.csoonline.com/printlinks,  for  the  category  descriptions).  The 
results:  Eight  out  of  10  respondents  earned  an  overall  grade  of  D  or  F 
(see  charts,  right,  for  scoring  breakouts  by  category  and  industry). 

The  Human  Firewall  Council  attributes  the  low  scores  principally 
to  a  point-solution  mind-set— seeing  each  problem  individually  and 
reacting  by  buying  a  solution  to  address  the  problem  at  hand  rather 
than  looking  at  the  whole  operation  and  devising  an  overall  approach 
that  includes  education,  policy,  architecture  and  so  forth.  That  kind  of 
thinking,  according  to  the  council,  dominates  the  corporate  mentality 
about  the  security  field  today.  “People  approach  infosecurity  through 
products,  but  that  only  addresses  the  tactical  side.  It’s  much  more  of 
a  business  problem,  and  people  are  just  starting  to  wake  up  to  that,” 
says  Michael  Rasmussen,  an  information  protection  analyst  for  Giga 
Information  Group  and  one  of  the  survey’s  principal  authors.  “I  can 
build  an  impenetrable  fortress  from  an  academic  sense,  but  if  the 
employee  sitting  behind  the  desk  gives  out  that  private  information,” 
then  the  fortress  is  all  for  naught.  The  ISO  standard  presents  a  more 
holistic  approach,  covering  categories  such  as  policy,  end  user  educa¬ 
tion  and  asset  classification,  in  addition  to  more  technical  areas. 
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Most  companies  are 
graded  poorly  in  infosecurity 
management  practices 


AVERAGE  GRADE  BY  CATEGORY 


Physical  and  environmental  security 

63% 

Communications  and  operations  management 

58% 

Access  control 

56% 

Information  security  policy 

52% 

Compliance 

47% 

Personnel  security 

44% 

Asset  classification  and  control 

44% 

Security  organization 

43% 

Systems  development  and  maintenance 

43% 

Business  continuity  management 

41% 

AVERAGE  GRADE  BY  INDUSTRY 

Financial  services 

57% 

Computer  and  software  manufacturing 

57% 

Services  provider 

55% 

Consulting 

54% 

Communications 

49% 

Manufacturing,  agriculture,  mining,  oil,  gas 

48% 

Wholesale,  retail  and  distribution 

47% 

Health  care 

44% 

Public,  government  and  military 

44% 

Other 

48% 

True  or  False? 

Still,  “alarming”  and  “dismal.”  To  what  extent  can  these  conclusions  be 
attributed  to  perpetually  underresourced  infosecurity  professionals 
crying  wolf? 

In  fact— despite  a  few  cautionary  notes— practitioners  say  the  sur¬ 
vey  instrument  and  results  appear  generally  reliable.  “I  think  the  sur¬ 
vey  is  excellent,  very  useful,”  says  Stephen  Locke,  chief  information 
security  officer  of  Northern  Trust,  a  Fortune  500  financial  services 
company.  Locke  stresses  the  need  to  avoid  sounding  the  klaxons  unnec¬ 
essarily  in  information  security.  “I’m  more  interested  in  instilling  a 
business  focus  and  not  a  paranoia  focus,”  he  says. 

As  with  many  large  companies,  Northern  Trust  uses  the  ISO  17799 
standard  as  a  guideline  for  its  information  security  efforts.  Still,  Locke 
notes  that  full  compliance  is  not  necessarily  realistic  for  everyone.  His 
own  company  earns  a  B-minus— or  about  80  percent— on  the  survey, 
which  he  attributes  not  to  oversights  but  to  rational  evaluation  of 
where  the  ISO  recommendations  are,  and  are  not,  appropriate  for 
their  particular  business  requirements.  ISO  compliance  is  enormously 
time  consuming,  and  Locke’s  company  and  his  staff  have  plenty  of 
other  demands  pulling  on  them— notably  legislation  such  as  the 
Gramm-Leach-Bliley  Act  and  the  Health  Insurance  Portability  and 
Accountability  Act  (better  known  as  HIPAA),  not  to  mention  assorted 
laws  for  doing  business  in  Singapore  and  other  places  around  the 
globe.  “We  spend  a  lot  of  time  with  federal  regulators  and  our  own  legal 
and  compliance  people,  and  it  takes  a  lot  of  time  for  my  staff  to  work 
through  all  this  documentation,”  says  Locke.  (For  more  on  the  chal¬ 
lenges  of  fully  implementing  ISO  17799,  see  “Guiding  Lite,”  March 
2003.) 

Grading  on  a  Curve 

Amother  possible  reason  for  lower  scores  of  some  other  survey  respon¬ 
dents,  says  Locke  (himself  a  former  manufacturing  company 
employee),  is  that  other  industries  vary  in  their  exposure  to  informa¬ 
tion  security  and  may  find  certain  categories  in  the  index  simply  less 
critical  than  do  financial  or  health-care  organizations. 

Finally,  there  is  one  more  significant  caveat  to  bear  in  mind  with  the 
survey  results:  The  assignment  of  letter  grades  is  quite  subjective.  For 
example,  a  company  that  checks  “partially  implemented”  for  a  partic¬ 
ular  set  of  ISO  best  practices  automatically  receives  a  score  (5  out  of 
10)  that  maps  to  a  failing  grade  for  that  category.  “In  my  opinion, 
partial  implementation  might  be  more  deserving  of  a  C,”  admits 
Rasmussen. 

Nevertheless,  the  index  makes  its  point.  “You  can  look  at  the 
methodology  and  say  it’s  skewed  one  way  or  another,”  says  Rasmussen, 
“hut  I  would  say  the  results  are  fairly  accurate  based  on  what  I  find  in 
the  field.”  -Derek  Slater 

You  can  find  the  “Security  Management  Index"  survey  instrument  at  www.humanfirewall.org. 


METHODOLOGY:  THE  RESULTS  REPRESENT  1,057  ORGANIZATIONS  THAT  TOOK  THE  SURVEY 
ONLINE  FROM  SEPTEMBER  TO  NOVEMBER  2002.  THE  AVERAGE  NUMBER  OF  EMPLOYEES  AT 
THESE  ORGANIZATIONS  IS  APPROXIMATELY  12.900.  RESPONDENTS  WERE  FROM  78  DIFFER¬ 
ENT  COUNTRIES.  THE  MAJORITY  (55  PERCENT)  BASED  IN  THE  UNITED  STATES. 

NOTE:  THE  SCORES  FROM  THE  SURVEY  SHOULD  BE  CONSIDERED  SIMILAR  TO  A  GRADE 
ON  AN  EXAM  WHERE  ANYTHING  LESS  THAN  A  70  IS  UNSATISFACTORY  AND  IS  ASSIGNED 
A  GRADE  OF  D  OR  BELOW. 


Want  to  know  how  your  company  stacks  up  against  industry  peers  and 
competitors?  Several  EXCLUSIVE  SECURITY  SURVEYS  are  just  a  click 
away  on  CSOonline.  Read  reports  on  IT  spending,  security  confidence  and 

theCSOrole.Gotowww.csoonline.com/csoresearch. 
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Technologies^  Tools 
and  Tactics 


Hard-Disk  Risk 

Are  all  those  old  hard  drives  you’re  getting  rid  of  free  of  important  company  data? 

Don’t  be  so  sure.  By  Simson  Garfinkel 


FEW  YEARS  AGO,  WHEN  I 
was  in  Silicon  Valley  with  nothing  to  do,  I 
stopped  by  one  of  the  valley’s  famed  stores 
that  sell  used  and  “recycled”  computers.  In 
the  store’s  front  were  used  minicomputers, 
workstations,  terminals  and  lots  of  old  PCs 
that  had  all  seen  better  days.  Then  I  noticed 
that  the  store  was  selling  used  hard  drives  as 
well.  A  10GB  drive  could  be  had  for  just 
$30— quite  a  bargain  at  the  time. 

‘You  clear  the  information  off  these  drives 
before  you  sell  them?”  I  asked  innocently. 

“Absolutely,”  said  the  man  behind  the 
counter.  “I  do  it  myself.  We  run  FDisk  on 
every  drive.  There’s  no  way  to  get  back  the 
information  after  you  do  that.” 

Really?  Turns  out  he  was  wrong.  Running 
Windows  FDisk  on  a  10GB  drive  overwrites 
only  0.01  percent  of  the  drive’s  sectors. 
Although  Windows  doesn’t  give  you  any  tools 
for  recovering  the  data  afterward,  many  such 
tools  are  currently  on  the  market  (for 
descriptions  of  those  tools,  see  “Tools  of  Evi¬ 
dence,”  Machine  Shop,  March  2003). 

But  the  real  treasure  trove  that  day  wasn’t 
on  the  store’s  display  shelves;  it  was  in  the 
warehouse.  The  cavernous  space  out  back 
had  several  shelves  stacked  high  with  old 
hard  drives,  each  $5,  “as  is  and  untested,” 
according  to  the  sign.  In  other  words,  nobody 
had  even  run  FDisk  on  those  drives.  Pop  one 
into  a  computer,  and  you  could  recover  the 


previous  owner’s  files  simply  by  running 
XCopy. 

I  bought  20  of  them. 

I  took  the  drives  home  and  started  my 
own  forensic  analysis.  Several  of  the  drives 
had  source  code  from  high-tech  companies. 
One  drive  had  a  confidential  memorandum 


describing  a  biotech  project;  another  had 
internal  spreadsheets  belonging  to  an  inter¬ 
national  shipping  company. 

Since  then,  I  have  repeatedly  indulged  my 
habit  for  procuring  and  then  analyzing  sec¬ 
ondhand  hard  drives.  I  bought  recycled  drives 
in  Bellevue,  Wash.,  that  had  internal  Microsoft 
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e-mail  (somebody  who  was  working  from 
home,  apparently).  Drives  that  I  found  at 
an  MIT  swap  meet  had  financial  infor¬ 
mation  on  them  from  a  Boston-area 
investment  firm.  Last  summer,  I  started 
buying  drives  en  masse  on  eBay. 

In  all,  I  bought  and  analyzed  the  con¬ 
tent  of  more  than  150  drives  with  the  help 
of  Abhi  Shelat,  another  graduate  student 
at  MIT’s  Laboratory  for  Computer  Sci¬ 
ence.  We  found  that  between  one-third 
and  one-half  of  the  drives  still  had  signif¬ 
icant  amounts  of  confidential  data,  even 
though  many  had  been  through  a  For¬ 
mat  or  FDisk  operation.  On  another  third, 
someone  had  deleted  the  document  files 
but  left  the  applications  behind.  It  was  a 
simple  matter  to  undelete  the  data  files 
and  retrieve  their  secrets  as  well. 

In  fact,  only  10  percent  of  the  drives  I 
purchased  had  been  properly  sanitized. 

Much  of  the  data  we  found  was  truly 
shocking.  One  of  the  drives  once  lived  in 
an  ATM.  It  contained  a  year’s  worth  of 
financial  transactions— including  account 


numbers  and  withdrawal  amounts— from 
a  organization  that  had  a  legal  require¬ 
ment  to  not  divulge  such  information. 
Two  other  drives  contained  more  than 
5,000  credit  card  numbers— it  looked  as 
if  one  had  been  inside  a  cash  register. 
Another  had  e-mail  and  personal  finan¬ 
cial  records  of  a  45-year-old  fellow  in 
Georgia.  The  man  is  divorced,  paying 
child  support  and  dating  a  woman  he  met 
in  Savannah.  And,  oh  yeah,  he’s  really  into 
pornography. 

Abhi  and  I  published  our  findings  ear¬ 
lier  this  year  in  IEEE  Security  and  Pri¬ 
vacy  journal.  The  story  got  a  lot  of  media 
attention.  It  seems  that  many  people 
have  heard  that  some  used  computers 
still  have  confidential  information  on 


their  hard  drives,  but  few  suspected  the 
scale  of  the  problem. 

Suds  for  Your  Hard  Drive 

So  what’s  to  be  done? 

Perhaps  the  saddest  observation  in  our 
story  is  that  erasing  information  from 
hard  drives  is  not  difficult— with  a  little 
bit  of  Web  searching,  we  found  more 
than  50  programs  that  purport  to  clean 
your  hard  drive  so  that  the  information 
on  it  cannot  be  recovered  using  even  the 
most  advanced  technical  means.  One 
program  costs  more  than  $1,000,  but 
some  cost  only  $20  or  $30,  while  still 
others  are  free.  All  of  the  programs  do 
more  or  less  the  same  thing:  They  repeat¬ 
edly  overwrite  the  blocks  on  your  com¬ 
puter’s  hard  drive  with  random  bit 
patterns,  completely  obscuring  the  infor¬ 
mation  that  was  previously  there. 

These  so-called  disk  sanitizers  actu¬ 
ally  come  in  two  varieties.  The  first  is 
programs  that  promote  themselves  as  file 
shredders,  secure  erasers  or  slack-space 


sanitizers,  designed  to  be  used  on  a  run¬ 
ning  computer  system.  They  overwrite 
blocks  on  your  disk  that  aren’t  actively 
being  used  to  store  files  but  might  have 
been  used  in  the  past  for  file  storage. 
These  programs,  such  as  SecureClean 
from  AccessData,  assure  that  deleted  files 
are  no  longer  recoverable.  The  best  will 
sanitize  other  kinds  of  telltale  privacy 
leaks,  including  browser  caches,  tempo¬ 
rary  files  and  certain  kinds  of  cookies. 

The  second  kind  of  program  will  com¬ 
pletely  erase  the  contents  of  a  disk— just 
the  thing  when  you  want  to  upgrade  the 
PCs  in  the  accounting  department  and 
redeploy  them  on  reception  desks 
throughout  your  enterprise.  The  pro¬ 
grams,  properly  called  disk  sanitizers  but 


ROI  Is  King 

So  many  products,  so  little  budget.  That’s  the  com¬ 
mon  refrain  in  today’s  tight  economic  conditions-in 
security  and  every  other  area  of  corporate  spending. 

Vendors  to  the  rescue:  Feeling  their  customers’ 
pain,  providers  of  information  security  software,  hard¬ 
ware  and  services-from  the  simple  to  the  extremely 
complex— are  creating  "return  on  investment  calcula¬ 
tors.”  That's  a  fancy  designation  for  a  spreadsheet 
that  helps  identify  hard  money  payback  for  buying  a 
given  product. 

Palisade  Systems'  PacketHound  is  a  network  man¬ 
agement  appliance  that  allows  users  to  measure  and 
(if  desired)  limit  or  block  particular  types  of  network 
traffic.  So  its  ROI  calculator  helps  identify  the  costs 
associated  with  “bandwidth-hogging  applications" 
such  as  Napster-like  music-swapping  services.  This  is 
one  of  the  simplest  return  on  investment  tools— it 
bases  its  results  on  just  three  variables.  Jump  on  the 
website  ( www.palisadesys.com ),  plug  in  your  connec¬ 
tion  speed  (T1  for  example),  approximate  cost  band¬ 
width  and  percentage  of  bandwidth  that’s  being  eaten 
up  by  such  applications  (which  you  can  estimate 
using  a  free  tool  called  PacketPup).  Push  the  button 
and  up  pops  your  putative  savings  for  freeing  up 
bandwidth  with  PacketHound. 

At  the  same  time,  Palisade’s  materials  prod  CSOs 
and  network  managers  to  consider  additional  costs 
not  covered  by  the  ROI  tool:  liability,  lost  productivity 
and  security  exposures. 

Another  simple  example  of  an  ROI  calculator  promotes 
Kensington’s  MicroSaver  cables  for  locking  up  lap¬ 
tops  and  desktop  PCs,  based  on  the  cost  of  hardware 
theft  or  loss.  Find  the  details  at  www.microsaver.com. 

Radware’s  FireProof  multifunction  hardware  device 
is  a  slightly  more  complex  product,  with  a  more  elab¬ 
orate  ROI  calculator  to  match.  FireProof  incorporates 
intrusion  detection,  denial-of-service  protection,  mail 
filtering  and  other  security  functions.  The  online  ROI 
tool  is  accordingly  broken  into  several  different  seg¬ 
ments,  including  the  costs  of  downtime,  intrusion 
detection  system  deployment  and  application  secu¬ 
rity.  The  URL  is  www.radware.com. 

Lumeta  offers  a  sophisticated  ROI  aid  for  its 
Discovery  Suite  network  management  tool  at 
www.lumeta.com.  Lumeta’s  software  helps  big  com¬ 
panies  with  asset  discovery  and  management;  the 
calculator  identifies  eight  areas  for  possible  payback, 


The  used-computer  market  is  literally 
awash  with  personal  information  from 
businesses  and  individuals,  yet  there  are 
relatively  few  cases  of  that  information 
being  used  for  nefarious  purposes. 
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1  ]  WIN  WITH  SELF-MANAGEMENT:  Whether  it’s  boy  bands  or  rubber 
bands,  software  that  effectively  manages  an  e-business  is  essential.  B 
software  that  corrects  problems  before  they  occur?  That’s  extraordinary 

2]  WIN  WITH  TIVOLI:  Unlike  other  solutions  that  tell  you  you’ve  violated 
a  service  level  agreement  after  the  fact,  Tivoli  software  detects 
trends  and  makes  adjustments  before  things  go  awry.  Tivoli.  Part  of  ou 
software  portfolio,  including  DB2®  Lotus®  and  WebSphere® 

3]  MAKE  THE  PLAY:  Visit  ibm.com/tivoli/unexpected  and  download 
a  free  buyer's  guide  on  how  to  meet  your  service  level  agreements. 


sometimes  called  disk  shredders,  repeat¬ 
edly  overwrite  eveiy  block  of  a  disk  drive, 
then  fill  the  drive  with  zeros. 

The  best  disk  sanitizers  come  on  a 
bootable  floppy  or  CD-ROM.  You  insert 
the  removable  media  into  the  computer 
to  be  wiped  clean,  boot  the  computer  and 
verify  your  intentions  to  the  program.  It 
does  the  rest.  Clearly,  these  programs  can 
be  dangerous  in  the  hands  of  a  disgrun¬ 
tled  employee— one  reason  it’s  always  a 
good  idea  to  restrict  physical  access  to  your 
most  important  systems.  One  disk  sani¬ 
tizer  I’m  particularly  fond  of  is  called  Auto¬ 
clave.  You  can  download  it  from  staff 
.washingto7i.edu/jdlarios/autoclave,  write 
it  to  a  floppy  and  go  to  town. 

But  the  study  that  Abhi  and  I  did 
shows  that  many  organizations  are  sim¬ 
ply  not  taking  the  problem  seriously. 

One  key  reason  for  today’s  poor  disk 
sanitization  practices  is  that  it’s  very  dif¬ 
ficult  to  tell  the  difference  between  a  disk 
that  has  been  properly  sanitized  and  one 
that’s  simply  been  reformatted.  Both  look 
blank  to  the  untrained  technician— you 
need  forensic  tools  to  tell  the  difference. 
You  also  need  to  put  the  drive  in  a  work¬ 
ing  computer.  So  simply  checking  to  see 
if  a  disk  is  sanitized  can  be  prohibitively 
expensive  in  many  cases. 

Another  reason,  we  suspect,  is  that 
most  people  don’t  appreciate  the  risk— 
the  used-computer  market  is  literally 
awash  with  personal  information  from 
businesses  and  individuals,  yet  there  are 
relatively  few  cases  of  that  information 
being  used  for  nefarious  purposes. 

Is  data  left  on  salvaged  hard  drives  a 
problem  for  the  typical  CSO?  I  think  it  is. 
We  spend  so  much  time  and  money  try¬ 
ing  to  protect  the  information  on  our 
computers,  it’s  utterly  irresponsible  for  us 
to  then  just  throw  it  out.  Why  should  the 
confidentiality  of  data  in  your  organiza¬ 
tion  depend  on  the  good  intentions  of  a 
person  who  buys  one  of  your  used  drives? 

Search  and  Recovery 

This  whole  world  of  disk  sanitization  can 
be  very  off-putting  to  the  average  CSO. 
Many  people  maintain  that  shadowy 
organizations  such  as  the  National  Secu¬ 
rity  Agency  can  retrieve  data  from  a  hard 


drive  even  after  that  data  has  been  over¬ 
written  with  a  random  pattern.  Some  say 
that  you  need  to  overwrite  a  hard  drive 
not  once,  but  seven  or  even  22  times. 

Such  lore  has  even  made  its  way  into 
the  disk  sanitization  programs.  Super- 
Scrubber  from  Jiiva,  one  of  the  few  Mac¬ 
intosh  data  sanitization  products,  offers 
five  so-called  security  levels:  Simple  (not 
secure),  Simple  +  Verify  (not  secure), 
Strong,  Military  and  Paranoid.  Why  in 
heaven’s  name  would  a  security  profes¬ 
sional  use  a  security  program  in  a  man¬ 
ner  that  the  program  itself  claims  is  not 
secure?  Such  attitudes  and  programs 
make  the  task  of  erasing  hard  drives  seem 
so  daunting  that  many  people  are  appar¬ 
ently  scared  away.  Why  try  to  solve  a 
problem  that’s  basically  unsolvable? 

In  fact,  there  is  no  unclassified  evi¬ 
dence  that  data  on  a  modern  hard  drive 
can  be  recovered  after  it  has  been  over¬ 
written  with  just  a  single  pass  of  random 
information.  Some  have  made  such 
claims,  but  no  such  recovery  has  ever 
been  demonstrated  in  public.  Today’s 
hard  drives  are  specifically  designed  not 
to  work  that  way.  When  you  save  a  new 
version  of  a  Microsoft  Word  file  on  your 
hard  drive,  for  instance,  you  want  to  get 
the  new— not  the  old— version. 

A  growing  number  of  businesses  offer 
to  properly  sanitize,  refurbish  and  reload 
your  computers  with  “clean”  software 
before  the  machines  are  repurposed 
within  your  organization  or  sold. 
Although  outsourcing  sounds  attractive, 
I’m  concerned  that  it  is  exceptionally  dif¬ 
ficult  to  audit  those  companies  and  make 
sure  they  are  actually  deleting  your  data. 

In  the  end,  preventive  technology  is  a 
better  solution  to  the  sanitization  prob¬ 
lem.  If  you  use  an  encrypted  file  system, 
you  can  sanitize  a  disk  simply  by  erasing 
the  key.  I’d  like  to  see  that  sort  of  tech¬ 
nology  built  in  to  hard  drives.  Or  better, 
perhaps  someday  soon,  all  disk  drives 
will  come  with  a  self-destruct  feature- 
just  like  Star  Trek's  Enterprise  did!  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshopwcxo.com. 


including  reduced  risk  of  infosecurity  breaches,  server 
consolidation  and  reduced  downtime. 

And  at  the  very  high  end  of  the  complexity  spectrum, 
there’s  the  identity  management  study  (and  resulting 
total  cost  of  ownership  and  ROI  tools)  from  Gartner, 
commissioned  by  a  set  of  identity  and  access  man¬ 
agement  (1AM)  vendors.  1AM  systems  are  an 
expensive  enterprise  sell— and  helping  corporate 
management  realize  that  up  front  actually  helps  set 
realistic  payback  expectations.  “I  think  the  study 
opens  management’s  eyes  in  two  areas.  One,  the 
magnitude  of  opportunity  for  improvement,  and  then 
also  that  the  cost  of  implementation  is  greater  than 
they  anticipate,"  says  Norm  Barber,  managing  direc¬ 
tor  of  ID  management  practice  at  Protiviti,  one  of  the 
study’s  sponsors  ( www.protiviti.com ).  Full  deploy¬ 
ment  can  extend  to  two  or  three  years  for  big  1AM 
projects,  Barber  says,  but  the  payback  can  begin 
within  the  first  year. 


If  that  list  doesn't  satisfy  the  insatiable  demand  for 
ROI  calculators,  never  fear-there's  even  a  toolkit  for 
building  your  own.  Aberdeen  Group  and  Alinean,  a 
software  purveyor  that  focuses  on  information  sys¬ 
tems  ROI  ( www.alinean.com ),  teamed  up  to  create 
the  Security  ROI  Selling  Toolkit,  which  is  intended 
both  for  IT  organizations  doing  their  own  purchasing 
cost  justifications,  and  for  information  security  ven¬ 
dors  aiming  to  pump  up  their  products  with  the  same 
tactics  as  their  brethren  above. 

-Derek  Slater 
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Check  Point  Internet  Security. 

Protect  your  network  at  every  moment,  every  level,  every  location. 


Every  minute,  every  day  Global  Fortune  500  companies  protect  their  networks  with  Check  Point’s  leading 
Internet  security  solutions.  Only  Check  Point  provides  true  Stateful  Inspection,  the  de  facto  standard  for 
Internet  security.  Forstate-of-the-net  protection,  Check  Point  has  developed  SmartDefense,  which  provides 
real-time  detection  and  protection  against  known  and  unknown  attacks.  With  our  leading  Firewall  and  VPN 
solutions  you’ll  get  the  most  secure,  most  scalable  and  most  comprehensive  security  in  the  industry.  Every 
possible  point  of  attack  is  covered  -  from  corporate  headquarters  to  the  remote  employee. 


Check  Point 


We  Secure  the  Internet. 


Find  out  how  to  truly  protect  your  network  by  getting  your  hands  on  our  mission  critical  white  paper  today —“Mitigating  the  SANS/FBI 
Top  20  Internet  Security  Vulnerabilities’.’  It  will  change  the  way  you  look  at  protecting  your  network,  www.checkpoint.com/top20/cso 


©2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


Certification 

Uncertainty 


Still,  I  didn’t  know  if  the  CISSP  certification  was  legit 
or  not  until  I  plunked  down  my  money,  trekked  to  New 
York  City  and  sat  for  three  hours  one  Saturday  morning 
to  take  the  test. 

I  didn’t  take  the  seminar,  nor  did  I  bother  studying. 
With  nearly  two  decades  of  experience  in  information 
assurance  and  security,  I  figured  that  if  I  couldn’t  pass  the 
test  cold,  then  (ISC)2  really  was  a  scam. 

I  joined  another  40  or  so  people  on  the  day  of  the  test. 
We  were  all  handed  a  little  notebook  with  several  hundred 
multiple-choice  questions.  Some  of  the  questions  were 
“experimental,”  we  were  told;  that  is,  they  didn’t  count.  If 
we  thought  that  a  question  was  poorly  worded  or  ambigu¬ 
ous,  we  should  try  to  answer  it  as  best  we  could,  then 
write  a  critique  of  the  question  on  a  piece  of  scratch  paper. 
It  all  seemed  quite  straightforward  and  professional— at 
least,  it  did  until  I  opened  the  exam  book. 

In  all  my  years  as  a  student  and  computer  professional, 
I  have  never  seen  an  exam  as  poorly  written  as  the  CISSP 
certification  test.  Many  questions  could  not  be  answered 
accurately  because  their  basic  premise  was  flawed.  Some 
had  multiple  answers  that  were  correct;  others  had  no 
correct  answers.  The  exam  was  filled  with  acronyms  that 
weren’t  spelled  out— or,  worse,  were  spelled  out  incor¬ 
rectly.  I  passed  the  test,  but  the  exam’s  creators  made  me 
swear  that  I  would  never  reveal  the  questions  on  the 
exam,  so  I  can’t  give  you  specific  examples  of  the  levels  of 


Would  I  want  to  belong  to  a  club  that  had  me  as  a  member? 
As  it  turns  out,  I  do.  By  Anonymous 


REMEMBER  WHEN  I  FIRST  found  out  about  the  CISSP  certification 
back  in  the  1990s.  To  be  honest,  I  thought  it  was  a  scam— it  all  seemed  so  self-ref¬ 
erential.  Despite  its  highfalutin  name,  the  CISSP  certification  was  really  just  a 
paper  credential  handed  out  by  the  International  Information  Systems  Security 
Certification  Consortium— or  (ISC)2— an  organization  created  for  the  very  pur¬ 
pose  of  approving  such  Certified  Information  Systems  Security  Professionals! 

The  more  I  checked  into  it,  the  fishier  everything  seemed.  To  get  a  CISSP  cer¬ 
tification,  all  you  had  to  do  was  pay  (ISC)2  a  few  hundred  dollars  and  take  a  test. 
Maybe  all  by  itself  that  doesn’t  sound  so  bad.  But  the  same  piece  of  paper  adver¬ 
tising  the  test  also  offered  special  “CISSP  training  seminars”— costing  upward  of 
$2,000— that  were  designed  to  help  prospective  test-takers  pass  the  course.  Was 
(ISC)2  offering  the  seminars  as  a  community  service  to  those  trying  to  pass  the 
exam,  or  was  it  offering  the  exam  as  a  way  to  sell  expensive 
security  seminars?  I  couldn’t  tell. 

Now  there’s  no  denying  that  the  computer  security  pro¬ 
fession  needed  to  do  something  in  the  way  of  certifying  its 
practitioners.  Ever  since  security  started  making  big  head¬ 
lines  in  the  1990s,  a  growing  number  of  “security  consult¬ 
ants”  have  tried  to  cash  in  on  the  craze.  Some  of  these 
consultants  were  well-established  practitioners  who  really 
knew  their  stuff.  But  others  were  teenagers  whose  main 
claim  to  fame  was  being  arrested  by  the  FBI  for  breaking 
into  a  computer  system.  Some  of  these  kids  charged  hun¬ 
dreds  of  dollars  an  hour.  And  they  got  it.  The  whole  trend 
of  hiring  so-called  “reformed  hackers”  made  legitimate  prac¬ 
titioners  green  with  envy— and  disgust. 

I  may  be  wrong,  but  I  believe  that  the  creation  and  suc¬ 
cess  of  the  CISSP  certification  is  largely  a  reaction  to  the 
market  success  of  these  former  computer  criminals.  (ISC)2’s 
Common  Body  of  Knowledge  for  information  security 
assures  that  slick  kids  who  are  good  at  penetration  and  not 
much  else  wouldn’t  be  able  to  pass.  And  the  emphasis  on  the 
CISSP  Code  of  Ethics— particularly  the  prohibition  against 
“association  with  amateurs”  and  “appearing  to  associate 
with  criminals  or  criminal  behavior”— assures  that  any 
reformed  hackers  who  manage  somehow  to  pass  the  CISSP 
test  can  be  throwm  out  of  the  club  if  they  haven’t  really 
changed  their  ways. 
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silliness  to  which  the  exam  sunk,  but  take 
my  word  for  it:  The  CISSP  exam  of  several 
years  ago  was  an  abomination. 

Once  you  pass,  you  need  to  maintain  your 
good  standing  through  (ISC)2’s  Continuing 
Professional  Education  (CPE)  requirement- 
earning  at  least  120  credits  every  three  years. 
Such  mandates  are  common  throughout  the 
world  of  professional  certification— doctors 
and  lawyers  typically  continue  to  attend 
accredited  classes.  But  the  CPE  requirements 
for  the  CISSP  are  far  laxer:  Provided  you  pay 
your  annual  membership  dues  and  work  in 
the  industry,  it’s  hard  to  imagine  how  you 
could  not  retain  your  certification.  That’s 
because  CPE  credits  are  awarded  for  attend¬ 
ing  security  conferences,  attending  vendor 
presentations  or  even  viewing  a  security- 
oriented  webcast.  In  fact,  I’ll  receive  10  CPE 
credits  just  for  writing  this  article. 

CISSP  may  be  nothing  more  than  a  club, 


but  it’s  a  club  that  I’ve  joined,  and  I  hope  it’s 
one  that’s  keeping  out  the  riffraff.  When 
somebody  suggests  that  I  hire  a  “reformed 
hacker”  to  do  a  penetration  test  of  our  net¬ 
work,  I  don’t  need  to  launch  into  an  expla¬ 
nation  of  why  such  testing  won’t  actually 
increase  network  security.  All  I  have  to  say  is, 
“We  don’t  hire  consultants  without  a  CISSP.” 

With  policies  like  that  in  mind,  some  con¬ 
sultancies  have  become  CISSP  factories.  They 
hire  relatively  green  consultants,  throw  books 
at  them,  send  them  to  a  high-priced  prep 
course  and  get  them  through  the  CISSP 
exam.  I  haven’t  yet  decided  if  I  think  that 
practice  is  a  bad  thing.  On  one  hand,  those 
individuals  certainly  don’t  have  the  breadth 
of  knowledge  and  depth  of  experience  that 
the  CISSP  certification  once  implied.  On  the 
other,  at  least  they  come  out  of  it  knowing 
something  about  computer  security. 

To  address  that  complaint,  (ISC)2  now 


requires  that  CISSP  applicants  have  four 
years  of  “professional  experience  in  at  least 
one  of  the  10  information  security  domains” 
represented  in  the  Common  Body  of  Knowl¬ 
edge.  That  sounds  great.  Until  you  visit  the 
website  and  learn  that  professional  experi¬ 
ence  includes  “creative  writing,”  “research 
and  development,”  “management  of  proj¬ 
ects,”  and  “work  requiring  the  exercise  of 
judgment,  management  decision  making  and 
discretion.”  Call  me  crass,  but  I  interpret 
those  requirements  this  way:  A  person  who 
works  as  a  security  guard  for  four  years  in 
college  has  the  necessary  work  experience  to 
qualify  for  the  CISSP  certification. 

My  biggest  complaint  about  the  CISSP 
certification,  however,  is  that  many  more 
people  on  my  staff  need  front-line  experi¬ 
ence  with  security  than  just  my  CISSPs. 
Aspects  of  the  Common  Body  of  Knowledge 
should  be  ready  at  the  call  of  network  admin¬ 


istrators,  programmers  and  even  sales  pro¬ 
fessionals.  Insisting  on  security  professionals 
with  the  CISSP  certification  can  give  upper 
management  the  unfortunate  impression 
that  we’ve  hired  a  few  slick  foxes  who  are 
capable  of  watching  our  henhouse. 

For  example,  many  of  the  security  prob¬ 
lems  discovered  in  Microsoft’s  programs 
weren’t  part  of  the  security-critical  software. 
Instead,  the  problems  come  from  dumb  pro¬ 
gramming  mistakes— things  like  buffer  over¬ 
flows  and  the  failure  of  programs  to  properly 
validate  their  arguments.  The  same  is  true  of 
security-poor  websites  with  improperly 
designed  cookies  and  the  lack  of  code  that 
detects  password-guessing  attacks.  These 
aren’t  the  sort  of  high-level  security  configu¬ 
ration  issues  that  CISSPs  eat  and  breathe. 
Instead,  they’re  nuts-and-bolts  programming 
tasks  handled  every  day  by  shop-floor  pro¬ 
grammers.  The  tragedy  of  computer  secu¬ 


rity  is  that  small  bugs  can  have  huge  ramifi¬ 
cations. 

A  CISSP  can  design  networks  that  require 
two-factor  authentication,  but  a  sales  man¬ 
ager  who  forgets  his  laptop  at  an  airport  bar 
can  still  compromise  corporate  secrets.  A 
CISSP  can  write  a  policy  that  mandates  the 
use  of  home  firewalls,  but  if  an  executive’s 
daughter  downloads  software  over  Kazaa, 
that  firewall  probably  won’t  protect  the 
internal  network  when  the  virtual  private 
network  is  fired  up.  The  problem  is  rarely 
the  network’s  design.  It’s  the  network’s  users. 

As  far  as  industry  certifications  go,  the 
CISSP  has  a  lot  going  for  it.  According  to 
(ISC)2,  there  were  13,397  Certified  Infor¬ 
mation  Systems  Security  Professionals  as  of 
December  2002.  Meanwhile,  an  article  in 
Certification  Magazine  says  that  the  CISSP 
certification  is  the  best,  most  highly  ranked 
industry  certification  of  them  all.  Perhaps 
that  explains  whyAmazon.com  lists  15  books 
with  the  letters  “CISSP”  in  their  titles,  includ¬ 
ing  my  personal  favorite,  CISSP  for  Dum¬ 
mies,  by  Lawrence  Miller  and  Peter  Gregory. 

Certainly,  (ISC)2  takes  itself  quite  seri¬ 
ously,  and  the  organization  is  working  to 
resolve  some  of  the  aforementioned  prob¬ 
lems.  And  given  the  status  of  other  industry 
certifications,  it’s  easy  to  see  why  the  CISSP 
is  largely  regarded  as  the  “gold  standard.” 
Bottom  line:  Would  I  hire  somebody  who 
has  a  CISSP  certification  over  somebody  who 
doesn’t?  Absolutely.  But,  of  course,  it’s  best  to 
look  for  more  than  just  the  CISSP  certifica¬ 
tion:  things  such  as  degrees  from  established, 
accredited  colleges  and  universities,  real-life 
work  experiences,  references  and  referrals. 

The  biggest  reason  for  my  endorsement 
goes  back  to  that  CISSP  Common  Body  of 
Knowledge:  If  a  person  has  a  CISSP,  then  I 
know  that  he  has  probably  read  at  least  one 
book  on  the  topic  of  computer  security.  The 
job  applicant  probably  knows  something 
about  physical  security,  something  about  pol¬ 
icy  formation,  something  about  access  con¬ 
trol,  something  about  encryption  and  so  on. 
Sadly,  that  puts  his  resume  far  ahead  of  most 
others  that  cross  my  desk.  ■ 

This  column  is  written  anonymously  by  an  expert  security 
practitioner.  E-mail  reader  feedback  to  csoundercover 
@c xo.com. 


Insisting  on  security  professionals  with 
the  CISSP  certification  can  give  upper 
management  the  unfortunate  impression 
that  we’ve  hired  a  few  slick  foxes  who  are 
capable  of  watching  our  henhouse. 
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Simplified  Identity 


A  Webinar 

from 


and 

Microsoft 

Featuring  Ray  Wagner, 
Gartner  Research 


You  CAN  have  the  best  of  both  worlds 


Passwords  are  frequently  the  weakest  link  in  the  corporate  information  security 
chain.  Managing  identities  across  multiple  directories  makes  this  challenge  even 
greater. 


REGISTER  ONLINE 

or  for  more 
information  visit 


Microsoft's  Secure  Connected  Infrastructure  Program  prescribes  the  tools, 
services  and  protocols  available  today  to  create  a  more  secure  corporate  network. 


www.digitalpersona.com/webinar 


Learn  from  industry  security  experts  how  to  streamline  identity  management, 
replace  passwords  with  stronger  and  convenient  fingerprint  authentication  while 
significantly  reducing  IT  support  costs. 


DATE  OF  WEBINAR 

April  29,  2003 
8  a.m.  PST 


SIGN  UP,  listen  and  ask  questions  as  the  following  industry  leaders  discuss 
the  latest  advances  in  identity  management  and  user  authentication: 

•  Ray  Wagner,  Research  Director,  GARTNER  RESEARCH 

•  Jackson  Shaw,  Product  Manager,  Directory  Services/Windows 
2003  Server  Marketing,  MICROSOFT 

•  Vance  Bjorn,  CTO,  DIGITALPERSONA, 

•  Adolfo  Loera,  TELMEX/BIOMETRIA  APLICADA 

Moderated  by  Bob  Bragdon,  Publisher,  CSO  MAGAZINE 
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NETWORLD+INTEROP  LAS  VEGAS  2003 

Networking  is  changing  faster  than  any 
segment  of  the  information  world  and 
transforming  the  way  we  develop  and 
deploy  applications.  NetWorld+Interop  is 
the  one  event  that  gives  you  the  chance  to 
see  the  latest  products  and  solutions  while 
you  meet  with  the  best  and  brightest. 


In  Las  Vegas  this  spring  you'll  find  the 
ultimate  networking  experience  and 
real-world  solutions  in  these  key  areas: 

■  Security  aVolP 

■  Wireless  ■  Convergence 

■  Storage  ■  Web  Services 

■  Network  Management  ■  And  more! 


Be  part  of  the  one  can't-miss 
event  for  serious  Networking 
and  IT  professionals. 


or  call  888-886-4057. 

NOTE:  Please  use  Coupon  Code  493  and  Priority  Code  CSOA  when  registering. 
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Attention  Shoppers... 


Private  Life 

Logan  Roots  doesn’t  just  preach 
privacy,  he  lives  it.  The  Bay  area  computer 
programmer,  dismayed  by  privacy’s  eroding 
standards,  has  integrated  privacy  into 
everything  he  does.  Everything.  When  he 
was  at  a  medical  clinic  recently  for  a  routine 
procedure,  a  clinician  started  asking  per¬ 
sonal  questions.  Roots  demanded  to  know 
how  the  information  would  be  used  before 
he  let  the  clinic  treat  him.  “They  buckled,” 
he  says  giddily.  “They  gave  up  asking  me 
if  I  was  married  and  all  that.  It’s  not  that 
privacy  is  the  complete  binding  up  of 
information.  Privacy  is  the  freedom  to 
selectively  reveal  one's  self."  And,  appar¬ 
ently,  to  run  grocery  store  card  schemes.... 

CSO:  You  might  be  the  one  guy  on  the 
planet  who  reads  the  Windows  license  all 
the  way  through  before  installing  the 
operating  system. 

Logan  Roots:  I  had  to  upgrade  Windows 
for  work  recently,  and  I  requested  another 
laptop  from  the  company  because  of  the 
new  license.  Have  you  read  it?  That  license 
is  outrageous!  I  don't  want  that  thing  on 
my  computer. 

So  you  read  every  contract  you  come 
across? 

Absolutely. 

Do  people  in  line  behind  you  at  stores 
appreciate  that? 

People  in  line  behind  me  hate  me.  Just 
the  other  day  I  was  picking  up  a  prescrip¬ 
tion  and  was  reading  the  contract  that  came 
with  it,  which  said  the  pharmacy  could  use 
my  personal  information.  I  said,  "I  don’t 
agree  to  this."  They  were  shocked.  They 
said  no  one  had  ever  read  it. 


Did  you  sign? 

I  signed  it,  but  I  had  a  strategy.  I  made  it 
clear  to  management  I  was  signing  under 
duress,  that  I  felt  my  job  was  on  the  line 
if  I  didn’t  sign  it.  And  I  made  sure  I  had 
witnesses. 


And  the  people  behind  you? 

Annoyed. 


So  you’re  serious  about  protecting  your 
privacy? 

I  pay  in  cash  and  use  false 
names  for  as  many  goods  and 
services  as  possible.  I’m  even  in 
a  local  pool  of  people  who  swap 
[grocery  store]  club  cards. 

We  get  the  discounts  but 
bamboozle  the  data  analy¬ 
sis.  For  the  past  few  months 
I’ve  been  using  the  card  of  a 
person  who  died  two  years 
ago.  I’m  almost  sad  it’s 
time  to  switch  cards  again. 

I  love  the  dead  thing  so 
much. 


Just  how  concerned 
should  we  be  about  this 
network  of  club-card-swapping 
bamboozlers? 

We  try  to  outdo  each  other  when  applying 
for  cards  by  inventing  names  that  are  as 
phonetically  embarrassing  as  possible,  so 
the  cashier  says,  "Have  a  nice  day  Mr. 
...uh.”  It’s  kind  of  sad  and  beautiful  at  the 
same  time  when  you  see  the  recognition  in 
the  clerk’s  face  that  the  name  is  a  joke.  I’d 
say  the  swapping  program  is  a  success. 


Who  else  have  you  annoyed  with  your 
privacy  lifestyle? 

I  worked  at  a  company  that  was  getting 
bought  out,  and  it  discovered  that  I  had 
never  signed  one  of  those  basic  employee 
agreements.  In  order  to  complete  the  buy¬ 
out,  my  company  needed  the  agreement. 
Some  person  then  showed  up  with  a 
25-page  document  and  asked  me  to  sign 
it.  I  said  I’d  look  at  it,  figuring  I’d  take  it 
home  to  my  wife,  who’s  a  lawyer.  That 
person  came  back  a  half-hour  later  asking 
if  I  was  done  yet.  He  said,  “Just  sign  it. 

No  one  ever  reads  it.”  Of  course  it  was  a 
draconian  document  that  robbed  me  of  all 
my  privacy. 


You’ve  really  thought  about  this. 

I’ve  been  thinking  about  this  since  I  read 
an  article  that  said  anonymous  money- 
in  other  words,  cash— might  disappear.  I 
thought  if  that  ever  happens,  I’ll  just  start 
money  swaps.  It'll  be  a  quick  laundering 
scheme. 

Have  you  ever  invaded  someone’s  privacy? 

I  don’t  think  so.  Not  even  my  wife’s.  I’m 
the  most  technical  person  in  my  house.  I 
have  the  power  to  examine  any  data  on  any 
computer  in  my  house.  But  I  never  would. 
Seriously.  I  genuinely  believe  people  need 
their  own  space.  I  try  to  live  that  way.  ■ 
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ILLUSTRATION  BY  PATRICK  MEREWETHER 


Manage  Security 

Pol  i Cl 0S  instead  of 

Security  Products 


firewall  and  VPN  reduces  complexity  and  lowers 
your  structured  cost.  Manage  security,  not  technology. 


Enables  unified  firewall  and  VPN  security  from  laptops,  to  data  centers  and  mainframes. 


Centrally  manages  and  upgrades  local  and  remote  sites. 


Reliably  connects  fault-tolerant  VPNs  and  firewalls  with  multiple  ISPs. 


Grows  without  the  need  for  over  investing  or  fork-lift  upgrades. 


The  cost  of  your  security  complexity  is  higher  than  you  think 


Contact  us  today  to  learn  how  to  remove  complexity  from  your  security. 
Visit  www.stonesoft.com  or  e-mail  at  info@stonesoft.com 
Attend  or  view  our  webinars  at  www.stonesoft.com/seminars 


STOKESOFT 


Can  your  antivirus  software  provide  double  the  scanning  power?  Ours  can. 

Making  sure  your  company  is  secure  gets  more  and  more  difficult  every  day.  That's  why  eTrust™  Antivirus  v7 
from  Computer  Associates  uses  dual  scanning  engines  to  ensure  comprehensive  virus  protection.  It  processes 
data  in  real  time  to  search  out  and  eliminate  viruses,  and  it  also  scans  files  during  prescheduled  and 
off-peak  hours.  All  at  the  cost  of  most  single-engine  AV  products.  It's  more  than  just  twice  the  protection. 
It's  twice  the  peace  of  mind.  ca.com/etrust/antivirus 


eTrust"’ Antivirus 


Computer  Associates® 
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